oss-sec mailing list archives
Moodle security notifications public
From: Michael de Raadt <michaeld () moodle com>
Date: Mon, 15 Sep 2014 08:44:20 +0800
The following security notifications are now public after release. Thanks to OSS members for their continued cooperation. ======================================================================= MSA-14-0033: URL parameter injection in CAS authentication Description: A flaw in the third-party CAS library, utilised by Moodle, has been found, which could potentially allow unauthorised access and privilege escalation. Issue summary: Upgrade phpCAS to 1.3.3 or greater - security vulnerabilities Severity/Risk: Serious Versions affected: 2.7 to 2.7.1, 2.6 to 2.6.4, 2.5 to 2.5.7 and earlier unsupported versions Versions fixed: 2.7.2 and 2.6.5 (NOTE: A fix to 2.5 was not possible. CAS users with Moodle 2.5 or earlier are encouraged to upgrade to a more recent release.) Reported by: Eric Merrill Issue no.: MDL-46766 CVE identifier: CVE-2014-4172Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46766
======================================================================= MSA-14-0034: Identity information revealed early in Q&A forum Description: Users who had not yet posted the required answer in a Q&A forum in order to access past posts were able to see the name of the last person who had posted. Issue summary: Other authors are visible in /mod/forum/view.php before student has posted their own answer. Severity/Risk: Minor Versions affected: 2.7 to 2.7.1, 2.6 to 2.6.4, 2.5 to 2.5.7 and earlier unsupported versions Versions fixed: 2.7.2, 2.6.5 and 2.5.8 Reported by: Amanda Doughty Issue no.: MDL-46619 CVE identifier: CVE-2014-3617Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46619
=======================================================================
Current thread:
- Moodle security notifications public Michael de Raadt (Jul 20)
- <Possible follow-ups>
- Moodle security notifications public Michael de Raadt (Jul 20)
- Re: Moodle security notifications public cve-assign (Jul 20)
- Re: Moodle security notifications public cve-assign (Jul 21)
- Re: Moodle security notifications public cve-assign (Jul 20)
- Moodle security notifications public Michael de Raadt (Sep 14)