oss-sec mailing list archives
Re: CVE Request -- moodle 1.9.7 and 1.8.11
From: "Steven M. Christey" <coley () linus mitre org>
Date: Fri, 11 Dec 2009 21:50:26 -0500 (EST)
On Sun, 6 Dec 2009, Jan Lieskovsky wrote:
* MSA-09-0022 - Multiple CSRF problems fixed
Use CVE-2009-4297
* MSA-09-0023 - Fixed user account disclosure in LAMS module
Use CVE-2009-4298
* MSA-09-0024 - Fixed insufficient access control in Glossary module
Use CVE-2009-4299
* MSA-09-0025 - Unneeded MD5 hashes removed from user table
Use CVE-2009-4300
* MSA-09-0026 - Fixed invalid application access control in MNET interface
Use CVE-2009-4301
* MSA-09-0027 - Ensured login information is always sent secured when using SSL for logins
Use CVE-2009-4302
* MSA-09-0028 - Passwords and secrets are no longer ever saved in backups, new backup capabilities moodle/backup:userinfo and moodle/restore:userinfo for controlling who can backup/restore user data, new checks in the security overview report helpadmins identify dangerous backup permissions
Use CVE-2009-4303This will be focused on the storage of passwords and secrets in backups; the remainder are considered defense-in-depth changes and not being considered for CVE. (Arguments welcome.)
* MSA-09-0029 - A strong password policy is now enabled by default, enabling password salt in encouraged in config.php, admins are forced to change password after the upgrade and admins can force password change on other users via Bulk user actions
Use CVE-2009-4304This will focus on the lack of password salt; the remainder are considered defense-in-depth changes and not being considered for CVE. (Arguments welcome.)
* MSA-09-0030 - New detection of insecure Flash player plugins, Moodle won't serve Flash to insecure plugins
This seems to be a defense-in-depth fix, which typically does not receive a CVE.
* MSA-09-0031 - Fixed SQL injection in SCORM module
Use CVE-2009-4305 Descriptions will be filled in later. - Steve
Current thread:
- CVE Request -- moodle 1.9.7 and 1.8.11 Jan Lieskovsky (Dec 06)
- Re: CVE Request -- moodle 1.9.7 and 1.8.11 Steven M. Christey (Dec 11)