[securityalerts] New Moodle releases 1.9.6 and 1.8.10: Securityfixes

Bob Elzer bob.elzer at gmail.com
Mon Oct 26 10:45:35 MST 2009 

Lisa is telling us that they are not telling everyone, only registered
moodle sites are being notified.

Which leaves sites that didn't bother to register hanging.

If there is a problem, then you should let everyone know so they can get it
patched as soon as possible or disable the problem (even if that means the
site itself).

In this case it seems the fixes aren't ready yet, so they are warning the
registered people, it's a catch 22, do you warn everyone and then hackers
that didn't know about it jump on the bandwagon and start hacking everything
they can find (hopefully the warned somehow prevent this until the fix), or
do you keep it hush hush, warn the few and hope the hackers that already
know about it don't hack too many.

I would rather know as soon as possible myself.
 


-----Original Message-----
From: plug-discuss-bounces at lists.plug.phoenix.az.us
[mailto:plug-discuss-bounces at lists.plug.phoenix.az.us] On Behalf Of R P
Herrold
Sent: Monday, October 26, 2009 8:35 AM
To: Main PLUG discussion list
Subject: Re: [securityalerts] New Moodle releases 1.9.6 and 1.8.10:
Securityfixes

On Mon, 26 Oct 2009, Lisa Kachold wrote:

> Moodle announces more security issues.
>
> By sending out this "advance security notice" of known exploits to 
> registered Moodle sites before the security fixes and "press release"
> it's clear that Moodle does not fully appreciate the state of web
> security today.   Literally thousands of web systems exploiters are
> already targeting school based Moodle php/mysql sites!

and so ?  so are sendmail and bind and the Linux kernel each of which
announce their holes as well

> ---------- Forwarded message ----------
> From: martin at moodle.com
> Subject: [securityalerts] New Moodle releases 1.9.6 and 1.8.10: 
> Security fixes
> To: securityalerts at lists.moodle.org

> You are getting this email because you subscribed to the Moodle security
alerts
> list when you registered your Moodle site.   (Thanks for registering, by
the
> way!)

I would read this that moodle cares enough to run a security alerts ML
exploder, and that they care enough to use it.  It seems like sour grapes to
complain that the 'free soup' is not seasoned as you like it.

-- Russ herrold
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

More information about the PLUG-discuss mailing list