[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Moodle security notifications public
From: Michael de Raadt <michaeld () moodle ! com>
Date: 2013-11-25 0:49:06
Message-ID: 52929E82.1040101 () moodle ! com
[Download RAW message or body]
The following security notifications are now public after a delayed release.
*Please note that the MSA security numbers reported earlier were
incorrect and out of sequence. These should be corrected.*
Thanks to OSS members for their continued cooperation.
=======================================================================
MSA-13-0036 (not MSA-13-25): Incorrect headers sent for secured resources
Description: Some files were being delivered with incorrect
headers, meaning they could be cached downstream.
Issue summary: Incorrect headers emitted for secured resources
Severity/Risk: Minor
Versions affected: 2.5 to 2.5.2, 2.4 to 2.4.6, 2.3 to 2.3.9 and
earlier unsupported versions
Versions fixed: 2.6, 2.5.3, 2.4.7 and 2.3.10
Reported by: Tony Levi
Issue no.: MDL-38743, MDL-42686
CVE identifier: CVE-2013-4522
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38743
=======================================================================
MSA-13-0037 (not MSA-13-26): Cross site scripting in Messages
Description: JavaScript in messages was being executed on some
pages.
Issue summary: Cross Site Scripting in Messages
Severity/Risk: Serious
Versions affected: 2.5 to 2.5.2, 2.4 to 2.4.6, 2.3 to 2.3.9 and
earlier unsupported versions
Versions fixed: 2.6, 2.5.3, 2.4.7 and 2.3.10
Reported by: Panagiotis Petasis
Issue no.: MDL-41941
CVE identifier: CVE-2013-4523
Workaround: Disable messages
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41941
=======================================================================
MSA-13-0038 (not MSA-13-27): Access to server files through repository
Description: The file system repository was allowing access
to files beyond the Moodle file area.
Issue summary: File System repository gives read access to the
whole file system
Severity/Risk: Serious
Versions affected: 2.5 to 2.5.2, 2.4 to 2.4.6, 2.3 to 2.3.9 and
earlier unsupported versions
Versions fixed: 2.6, 2.5.3, 2.4.7 and 2.3.10
Reported by: Frédéric Massart
Issue no.: MDL-41807
CVE identifier: CVE-2013-4524
Workaround: Do not enable File System repository (default)
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41807
=======================================================================
MSA-13-0039 (not MSA-13-28): Cross site scripting in Quiz
Description: JavaScript in question answers was being executed on
the Quiz Results page.
Issue summary: XSS on view quiz results page
Severity/Risk: Serious
Versions affected: 2.5 to 2.5.2, 2.4 to 2.4.6, 2.3 to 2.3.9 and
earlier unsupported versions
Versions fixed: 2.6, 2.5.3, 2.4.7 and 2.3.10
Reported by: Michael Hess
Issue no.: MDL-41820
CVE identifier: CVE-2013-4525
Workaround: Disable text-based question types.
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41820
=======================================================================
MSA-13-0040: Cross site scripting vulnerability in YUI library
Description: Flash files distributed with the YUI library
may have allowed for cross-site scripting attacks.
This is additional to MSA-13-0025.
Issue summary: YUI2 security vulnerability
Severity/Risk: Serious
Versions affected: 2.3 to 2.3.9 and earlier unsupported versions
Versions fixed: 2.3.10
Reported by: Petr koda
Issue no.: MDL-42780
CVE identifier: CVE-2013-6780
Workaround: Remove all SWF files under the lib/yui directory.
Changes (2.3):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-42780
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic