[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request -- moodle 1.9.7 and 1.8.11
From:       "Steven M. Christey" <coley () linus ! mitre ! org>
Date:       2009-12-12 2:50:26
Message-ID: Pine.GSO.4.64.0912112134260.29993 () faron ! mitre ! org
[Download RAW message or body]


On Sun, 6 Dec 2009, Jan Lieskovsky wrote:

>    * MSA-09-0022 - Multiple CSRF problems fixed

Use CVE-2009-4297


>    * MSA-09-0023 - Fixed user account disclosure in LAMS module

Use CVE-2009-4298


>    * MSA-09-0024 - Fixed insufficient access control in Glossary module


Use CVE-2009-4299

>    * MSA-09-0025 - Unneeded MD5 hashes removed from user table


Use CVE-2009-4300

>    * MSA-09-0026 - Fixed invalid application access control in MNET 
> interface

Use CVE-2009-4301


>    * MSA-09-0027 - Ensured login information is always sent secured when 
> using SSL for logins

Use CVE-2009-4302


>    * MSA-09-0028 - Passwords and secrets are no longer ever saved in 
> backups, new backup capabilities
>                    moodle/backup:userinfo and moodle/restore:userinfo for 
> controlling who can
>                    backup/restore user data, new checks in the security 
> overview report help
>                    admins identify dangerous backup permissions

Use CVE-2009-4303

This will be focused on the storage of passwords and secrets in backups; 
the remainder are considered defense-in-depth changes and not being 
considered for CVE.  (Arguments welcome.)


>    * MSA-09-0029 - A strong password policy is now enabled by default, 
> enabling password salt
>                    in encouraged in config.php, admins are forced to change 
> password after the
>                    upgrade and admins can force password change on other 
> users via Bulk user actions

Use CVE-2009-4304

This will focus on the lack of password salt; the remainder are considered 
defense-in-depth changes and not being considered for CVE.  (Arguments 
welcome.)


>    * MSA-09-0030 - New detection of insecure Flash player plugins, Moodle 
> won't serve Flash to insecure plugins

This seems to be a defense-in-depth fix, which typically does not receive 
a CVE.


>    * MSA-09-0031 - Fixed SQL injection in SCORM module

Use CVE-2009-4305


Descriptions will be filled in later.

- Steve
[prev in list] [next in list] [prev in thread] [next in thread]