Apart from the security issues commented on this bug, there were discovered recently 10 more recent security issues that affect moodle on stable and testing/sid
Adding them to this bug instead of creating a new one. Summary: CVE-2012-0792 Moodle MSA-12-0002: Personal information leak CVE-2012-0793 Moodle MSA-12-0004: Added profile image security CVE-2012-0794 Moodle MSA-12-0005: Encryption enhancement CVE-2012-0795 Moodle MSA-12-0006: Additional email address validation CVE-2012-0796 Moodle MSA-12-0007: Email injection prevention CVE-2012-0797 Moodle MSA-12-0008: Unsynchronised access via tokens CVE-2012-0798 Moodle MSA-12-0009: Role access issue CVE-2012-0799 Moodle MSA-12-0010: Unauthorised access to session key CVE-2012-0800 Moodle MSA-12-0011: Browser autofill password issue CVE-2012-0801 Moodle MSA-12-0012: Form validation issue -------- Original Message -------- Date: Fri, 20 Jan 2012 11:33:31 -0700 From: Vincent Danen <vda...@redhat.com> To: oss-secur...@lists.openwall.com Subject: [oss-security] CVE request: moodle 2.2.1, 2.1.4, 2.0.7, 1.9.16 vulnerabilities New moodle releases were made to fix a number of flaws (summarized below). Could CVEs be assigned to these? [1] http://docs.moodle.org/dev/Moodle_2.2.1_release_notes [2] http://docs.moodle.org/dev/Moodle_2.1.4_release_notes [3] http://docs.moodle.org/dev/Moodle_2.0.7_release_notes [4] http://docs.moodle.org/dev/Moodle_1.9.16_release_notes MSA-12-0001: Recaptcha transmission consistency issue Affects: 2.2, 2.1.x, 2.0.x, 1.9.x Fix: http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=b608b227bac4efba76da43dabe9bc2e32fb8fa32 Reference: http://moodle.org/mod/forum/discuss.php?d=194008 MSA-12-0002: Personal information leak Affects: 1.9.x Fix: http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=36b0ddeed45d0751508dcd9fa50f17fda43bae54 Reference: http://moodle.org/mod/forum/discuss.php?d=194009 MSA-12-0003: Added password protection Affects: 2.2, 2.1.x, 2.0.x, 1.9.x Fix: http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=aa30d3e8ce0dd41d3d0f7dae856beb180fed1f83 Reference: http://moodle.org/mod/forum/discuss.php?d=194011 MSA-12-0004: Added profile image security Affects: 2.2, 2.1.x, 2.0.x, 1.9.x Fix: http://git.moodle.org/gw?p=moodle.git;a=commit;h=90911c4ff98dc2078a3acef5ddf5a1a8f7e20ba5 Reference: http://moodle.org/mod/forum/discuss.php?d=194012 MSA-12-0005: Encryption enhancement Affects: 2.2, 2.1.x, 2.0.x, 1.9.x Fix: http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=98456628a24bba25d336860d38a45b5a4e3895da Reference: http://moodle.org/mod/forum/discuss.php?d=194013 MSA-12-0006: Additional email address validation Affects: 2.2, 2.1.x, 2.0.x, 1.9.x Fix: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-13572 Reference: http://moodle.org/mod/forum/discuss.php?d=194014 MSA-12-0007: Email injection prevention Affects: 2.2, 2.1.x, 2.0.x, 1.9.x Fix: http://git.moodle.org/gw?p=moodle.git;a=commit;h=62988bf0bbc73df655f51884aaf1f523928abff9 Reference: http://moodle.org/mod/forum/discuss.php?d=194015 MSA-12-0008: Unsynchronised access via tokens Affects: 2.2, 2.1.x, 2.0.x Fix: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-28126 Reference: http://moodle.org/mod/forum/discuss.php?d=194016 MSA-12-0009: Role access issue Affects: 2.2, 2.1.x Fix: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29469 Reference: http://moodle.org/mod/forum/discuss.php?d=194017 MSA-12-0010: Unauthorised access to session key Affects: 2.1.x, 2.0.x Fix: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-27334 Reference: http://moodle.org/mod/forum/discuss.php?d=194018 MSA-12-0011: Browser autofill password issue Affects: 2.2, 2.1.x, 2.0.x Fix: http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=6e9989dbd3f261b2e1586ff77b0bf22fc7091485 Reference: http://moodle.org/mod/forum/discuss.php?d=194019 MSA-12-0012: Form validation issue Affects: 2.2, 2.1.x Fix: http://git.moodle.org/gw?p=moodle.git;a=commit;h=51070abc78b9e1db1db9a44855e8623b22bebd48 Reference: http://moodle.org/mod/forum/discuss.php?d=194020 -- Vincent Danen / Red Hat Security Response Team -------- Original Message -------- Date: Sat, 21 Jan 2012 17:15:29 -0700 From: Kurt Seifried <kseifr...@redhat.com> To: oss-secur...@lists.openwall.com Subject: Re: [oss-security] CVE request: moodle 2.2.1, 2.1.4, 2.0.7, 1.9.16 vulnerabilities On 01/20/2012 11:33 AM, Vincent Danen wrote: > New moodle releases were made to fix a number of flaws (summarized > below). Could CVEs be assigned to these? > > [1] http://docs.moodle.org/dev/Moodle_2.2.1_release_notes > [2] http://docs.moodle.org/dev/Moodle_2.1.4_release_notes > [3] http://docs.moodle.org/dev/Moodle_2.0.7_release_notes > [4] http://docs.moodle.org/dev/Moodle_1.9.16_release_notes > Summary: CVE-2012-0792 Moodle MSA-12-0002: Personal information leak CVE-2012-0793 Moodle MSA-12-0004: Added profile image security CVE-2012-0794 Moodle MSA-12-0005: Encryption enhancement CVE-2012-0795 Moodle MSA-12-0006: Additional email address validation CVE-2012-0796 Moodle MSA-12-0007: Email injection prevention CVE-2012-0797 Moodle MSA-12-0008: Unsynchronised access via tokens CVE-2012-0798 Moodle MSA-12-0009: Role access issue CVE-2012-0799 Moodle MSA-12-0010: Unauthorised access to session key CVE-2012-0800 Moodle MSA-12-0011: Browser autofill password issue CVE-2012-0801 Moodle MSA-12-0012: Form validation issue > > MSA-12-0001: Recaptcha transmission consistency issue > Affects: 2.2, 2.1.x, 2.0.x, 1.9.x > Fix: > http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=b608b227bac4efba76da43dabe9bc2e32fb8fa32 > Reference: http://moodle.org/mod/forum/discuss.php?d=194008 > This is an enhancement and appears to have no security impact. > > MSA-12-0002: Personal information leak > Affects: 1.9.x > Fix: > http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=36b0ddeed45d0751508dcd9fa50f17fda43bae54 > Reference: http://moodle.org/mod/forum/discuss.php?d=194009 > > Please use CVE-2012-0792 for this issue. > MSA-12-0003: Added password protection > Affects: 2.2, 2.1.x, 2.0.x, 1.9.x > Fix: > http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=aa30d3e8ce0dd41d3d0f7dae856beb180fed1f83 > Reference: http://moodle.org/mod/forum/discuss.php?d=194011 > Security enhancement to help prevent browsers from remembering a users password. > > MSA-12-0004: Added profile image security > Affects: 2.2, 2.1.x, 2.0.x, 1.9.x > Fix: > http://git.moodle.org/gw?p=moodle.git;a=commit;h=90911c4ff98dc2078a3acef5ddf5a1a8f7e20ba5 > Reference: http://moodle.org/mod/forum/discuss.php?d=194012 > Please use CVE-2012-0793 for this issue. > > MSA-12-0005: Encryption enhancement > Affects: 2.2, 2.1.x, 2.0.x, 1.9.x > Fix: > http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=98456628a24bba25d336860d38a45b5a4e3895da > Reference: http://moodle.org/mod/forum/discuss.php?d=194013 > Please use CVE-2012-0794 for this issue. > MSA-12-0006: Additional email address validation > Affects: 2.2, 2.1.x, 2.0.x, 1.9.x > Fix: > http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-13572 > Reference: http://moodle.org/mod/forum/discuss.php?d=194014 > Please use CVE-2012-0795 for this issue. > > MSA-12-0007: Email injection prevention > Affects: 2.2, 2.1.x, 2.0.x, 1.9.x > Fix: > http://git.moodle.org/gw?p=moodle.git;a=commit;h=62988bf0bbc73df655f51884aaf1f523928abff9 > Reference: http://moodle.org/mod/forum/discuss.php?d=194015 > Please use CVE-2012-0796 for this issue. > > MSA-12-0008: Unsynchronised access via tokens > Affects: 2.2, 2.1.x, 2.0.x > Fix: > http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-28126 > Reference: http://moodle.org/mod/forum/discuss.php?d=194016 > Please use CVE-2012-0797 for this issue. > > MSA-12-0009: Role access issue > Affects: 2.2, 2.1.x > Fix: > http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29469 > Reference: http://moodle.org/mod/forum/discuss.php?d=194017 > Please use CVE-2012-0798 for this issue. > > MSA-12-0010: Unauthorised access to session key > Affects: 2.1.x, 2.0.x > Fix: > http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-27334 > Reference: http://moodle.org/mod/forum/discuss.php?d=194018 > Please use CVE-2012-0799 for this issue. > > MSA-12-0011: Browser autofill password issue > Affects: 2.2, 2.1.x, 2.0.x > Fix: > http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=6e9989dbd3f261b2e1586ff77b0bf22fc7091485 > Reference: http://moodle.org/mod/forum/discuss.php?d=194019 > Please use CVE-2012-0800 for this issue. > > MSA-12-0012: Form validation issue > Affects: 2.2, 2.1.x > Fix: > http://git.moodle.org/gw?p=moodle.git;a=commit;h=51070abc78b9e1db1db9a44855e8623b22bebd48 > Reference: http://moodle.org/mod/forum/discuss.php?d=194020 > Please use CVE-2012-0801 for this issue. -- -- -- Kurt Seifried / Red Hat Security Response Team -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Carlos Alberto Lopez Perez http://neutrino.es Igalia - Free Software Engineering http://www.igalia.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
signature.asc
Description: OpenPGP digital signature