oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Moodle security notifications public

From: Michael de Raadt <michaeld () moodle com>
Date: Mon, 16 Sep 2013 09:48:37 +0800
The following security notifications are now public.

Thanks to OSS members for their cooperation.

=======================================================================
MSA-13-0032: Host verification failure in Amazon S3 repository

Description:       The Amazon S3 repository was not verifying secure
                   hosts
Issue summary:     S3 class uses curl insecurely
Severity/Risk:     Minor
Versions affected: 2.5 to 2.5.1, 2.4 to 2.4.5, 2.3 to 2.3.8, previous
                   unsupported versions
Versions fixed:    2.5.2, 2.4.6 and 2.3.9
Reported by:       Thijs Kinkhorst
Issue no.:         MDL-40615
CVE Identifier:    CVE-2012-6087
Workaround:        Disable Amazon S3 repository (default)
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-40615 

=======================================================================
MSA-13-0033: Potential SQL injection in Moodle's SQL Server driver

Description:       Null characters were allowed in query strings, which
                   caused sql statements to terminate and fail
Issue summary:     null byte causes error in ms sql drivers - potential
                   sql injection
Severity/Risk:     Serious
Versions affected: 2.5 to 2.5.1, 2.4 to 2.4.5, 2.3 to 2.3.8, previous
                   unsupported versions
Versions fixed:    2.5.2, 2.4.6 and 2.3.9
Reported by:       Ryan Giobbi
Issue no.:         MDL-40676
CVE Identifier:    CVE-2013-4313
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-40676 

=======================================================================
MSA-13-0034: Object injection through Badges

Description:       Descriptions of external badges were open to
                   exploitation.
Issue summary:     Unserialize external input in badges/external.php
                   allows object injection
Severity/Risk:     Serious
Versions affected: 2.5 to 2.5.1
Versions fixed:    2.5.2
Reported by:       Emilio Pinna
Issue no.:         MDL-40924
CVE Identifier:    CVE-2013-5674
Workaround:        Disable Badges
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-40924 

=======================================================================
MSA-13-0035: Inadequate filtering in Blog

Description:       Links to external blogs were not being adequately
                   cleaned
Issue summary:     XSS in remote blog/rss include
Severity/Risk:     Serious
Versions affected: 2.5 to 2.5.1, 2.4 to 2.4.5, 2.3 to 2.3.8, previous
                   unsupported versions
Versions fixed:    2.5.2, 2.4.6 and 2.3.9
Reported by:       Ciaran McNally
Issue no.:         MDL-41623
CVE Identifier:    CVE-2013-4341
Workaround:        Disable Blogs
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41623
Previous By Date Next
Previous By Thread Next

Current thread: