oss-sec mailing list archives
Moodle security notifications public
From: Michael de Raadt <michaeld () moodle com>
Date: Mon, 25 Nov 2013 08:49:06 +0800
The following security notifications are now public after a delayed release.*Please note that the MSA security numbers reported earlier were incorrect and out of sequence. These should be corrected.*
Thanks to OSS members for their continued cooperation.
=======================================================================
MSA-13-0036 (not MSA-13-25): Incorrect headers sent for secured resources
Description: Some files were being delivered with incorrect
headers, meaning they could be cached downstream.
Issue summary: Incorrect headers emitted for secured resources
Severity/Risk: Minor
Versions affected: 2.5 to 2.5.2, 2.4 to 2.4.6, 2.3 to 2.3.9 and
earlier unsupported versions
Versions fixed: 2.6, 2.5.3, 2.4.7 and 2.3.10
Reported by: Tony Levi
Issue no.: MDL-38743, MDL-42686
CVE identifier: CVE-2013-4522
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38743
=======================================================================
MSA-13-0037 (not MSA-13-26): Cross site scripting in Messages
Description: JavaScript in messages was being executed on some
pages.
Issue summary: Cross Site Scripting in Messages
Severity/Risk: Serious
Versions affected: 2.5 to 2.5.2, 2.4 to 2.4.6, 2.3 to 2.3.9 and
earlier unsupported versions
Versions fixed: 2.6, 2.5.3, 2.4.7 and 2.3.10
Reported by: Panagiotis Petasis
Issue no.: MDL-41941
CVE identifier: CVE-2013-4523
Workaround: Disable messages
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41941
=======================================================================
MSA-13-0038 (not MSA-13-27): Access to server files through repository
Description: The file system repository was allowing access
to files beyond the Moodle file area.
Issue summary: File System repository gives read access to the
whole file system
Severity/Risk: Serious
Versions affected: 2.5 to 2.5.2, 2.4 to 2.4.6, 2.3 to 2.3.9 and
earlier unsupported versions
Versions fixed: 2.6, 2.5.3, 2.4.7 and 2.3.10
Reported by: Frédéric Massart
Issue no.: MDL-41807
CVE identifier: CVE-2013-4524
Workaround: Do not enable File System repository (default)
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41807
=======================================================================
MSA-13-0039 (not MSA-13-28): Cross site scripting in Quiz
Description: JavaScript in question answers was being executed on
the Quiz Results page.
Issue summary: XSS on view quiz results page
Severity/Risk: Serious
Versions affected: 2.5 to 2.5.2, 2.4 to 2.4.6, 2.3 to 2.3.9 and
earlier unsupported versions
Versions fixed: 2.6, 2.5.3, 2.4.7 and 2.3.10
Reported by: Michael Hess
Issue no.: MDL-41820
CVE identifier: CVE-2013-4525
Workaround: Disable text-based question types.
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41820
=======================================================================
MSA-13-0040: Cross site scripting vulnerability in YUI library
Description: Flash files distributed with the YUI library
may have allowed for cross-site scripting attacks.
This is additional to MSA-13-0025.
Issue summary: YUI2 security vulnerability
Severity/Risk: Serious
Versions affected: 2.3 to 2.3.9 and earlier unsupported versions
Versions fixed: 2.3.10
Reported by: Petr Škoda
Issue no.: MDL-42780
CVE identifier: CVE-2013-6780
Workaround: Remove all SWF files under the lib/yui directory.
Changes (2.3):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-42780
Current thread:
- Moodle security notifications public Michael de Raadt (Nov 24)