oss-sec mailing list archives

Moodle security notifications public

From: Michael de Raadt <michaeld () moodle com>
Date: Mon, 15 Sep 2014 08:44:20 +0800

The following security notifications are now public after release.

Thanks to OSS members for their continued cooperation.

=======================================================================
MSA-14-0033: URL parameter injection in CAS authentication

Description:       A flaw in the third-party CAS library, utilised by
                   Moodle, has been found, which could potentially
                   allow unauthorised access and privilege escalation.
Issue summary:     Upgrade phpCAS to 1.3.3 or greater - security
                   vulnerabilities
Severity/Risk:     Serious
Versions affected: 2.7 to 2.7.1, 2.6 to 2.6.4, 2.5 to 2.5.7 and earlier
                   unsupported versions
Versions fixed:    2.7.2 and 2.6.5 (NOTE: A fix to 2.5 was not
                   possible. CAS users with Moodle 2.5 or earlier are
                   encouraged to upgrade to a more recent release.)
Reported by:       Eric Merrill
Issue no.:         MDL-46766
CVE identifier:    CVE-2014-4172

Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46766


=======================================================================
MSA-14-0034: Identity information revealed early in Q&A forum

Description:       Users who had not yet posted the required answer in
                   a Q&A forum in order to access past posts were able
                   to see the name of the last person who had posted.
Issue summary:     Other authors are visible in /mod/forum/view.php
                   before student has posted their own answer.
Severity/Risk:     Minor
Versions affected: 2.7 to 2.7.1, 2.6 to 2.6.4, 2.5 to 2.5.7 and earlier
                   unsupported versions
Versions fixed:    2.7.2, 2.6.5 and 2.5.8
Reported by:       Amanda Doughty
Issue no.:         MDL-46619
CVE identifier:    CVE-2014-3617

Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46619


=======================================================================

Current thread:

Moodle security notifications public Michael de Raadt (Jul 20)
- <Possible follow-ups>
- Moodle security notifications public Michael de Raadt (Jul 20)
  - Re: Moodle security notifications public cve-assign (Jul 20)
    - Re: Moodle security notifications public cve-assign (Jul 21)
- Moodle security notifications public Michael de Raadt (Sep 14)