[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE Request -- moodle 1.9.7 and 1.8.11
From: "Steven M. Christey" <coley () linus ! mitre ! org>
Date: 2009-12-12 2:50:26
Message-ID: Pine.GSO.4.64.0912112134260.29993 () faron ! mitre ! org
[Download RAW message or body]
On Sun, 6 Dec 2009, Jan Lieskovsky wrote:
> * MSA-09-0022 - Multiple CSRF problems fixed
Use CVE-2009-4297
> * MSA-09-0023 - Fixed user account disclosure in LAMS module
Use CVE-2009-4298
> * MSA-09-0024 - Fixed insufficient access control in Glossary module
Use CVE-2009-4299
> * MSA-09-0025 - Unneeded MD5 hashes removed from user table
Use CVE-2009-4300
> * MSA-09-0026 - Fixed invalid application access control in MNET
> interface
Use CVE-2009-4301
> * MSA-09-0027 - Ensured login information is always sent secured when
> using SSL for logins
Use CVE-2009-4302
> * MSA-09-0028 - Passwords and secrets are no longer ever saved in
> backups, new backup capabilities
> moodle/backup:userinfo and moodle/restore:userinfo for
> controlling who can
> backup/restore user data, new checks in the security
> overview report help
> admins identify dangerous backup permissions
Use CVE-2009-4303
This will be focused on the storage of passwords and secrets in backups;
the remainder are considered defense-in-depth changes and not being
considered for CVE. (Arguments welcome.)
> * MSA-09-0029 - A strong password policy is now enabled by default,
> enabling password salt
> in encouraged in config.php, admins are forced to change
> password after the
> upgrade and admins can force password change on other
> users via Bulk user actions
Use CVE-2009-4304
This will focus on the lack of password salt; the remainder are considered
defense-in-depth changes and not being considered for CVE. (Arguments
welcome.)
> * MSA-09-0030 - New detection of insecure Flash player plugins, Moodle
> won't serve Flash to insecure plugins
This seems to be a defense-in-depth fix, which typically does not receive
a CVE.
> * MSA-09-0031 - Fixed SQL injection in SCORM module
Use CVE-2009-4305
Descriptions will be filled in later.
- Steve
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic