<div dir="ltr">FYI<div><br></div><div>Moodle Security <br><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername"></b> <span dir="ltr"><<a href="mailto:michaeld@moodle.com">michaeld@moodle.com</a>></span><br>
Date: Wed, Nov 13, 2013 at 9:21 PM<br>Subject: [securityalerts] Moodle 2.5.3, 2.4.7 and 2.3.10 are now available<br>To: <a href="mailto:securityalerts@lists.moodle.org">securityalerts@lists.moodle.org</a><br><br><br>Hello registered Moodle Admins!<br>
<br>
(This email is going out to over 94,000 registered Moodle admins. You are<br>
receiving this email because you asked for Moodle security news when you<br>
registered a Moodle site. If you don't want these emails then see the very end<br>
of this email for info about unsubscribing. Replies to this email will not be<br>
read.)<br>
<br>
I'm writing today to let you know that Moodle 2.5.3, 2.4.7 and 2.3.10 are<br>
available via the usual open download channels (<a href="http://download.moodle.org" target="_blank">http://download.moodle.org</a><br>
or Git).<br>
<br>
Note the 2.3 branch is now supported for security fixes only.<br>
<br>
The full release notes are here:<br>
<br>
<a href="http://docs.moodle.org/dev/Moodle_2.5.3_release_notes" target="_blank">http://docs.moodle.org/dev/Moodle_2.5.3_release_notes</a><br>
<a href="http://docs.moodle.org/dev/Moodle_2.4.7_release_notes" target="_blank">http://docs.moodle.org/dev/Moodle_2.4.7_release_notes</a><br>
<a href="http://docs.moodle.org/dev/Moodle_2.3.10_release_notes" target="_blank">http://docs.moodle.org/dev/Moodle_2.3.10_release_notes</a><br>
<br>
The release of Moodle 2.6 has been delayed until early next week.<br>
<br>
SECURITY ISSUES<br>
<br>
As well as a long list of bug fixes, performance improvements and polishing,<br>
there are 5 security issues you should be aware of. Details of these security<br>
issues are listed below.<br>
<br>
As a registered Moodle admin we are giving you advance notice of these issues<br>
so you have some time to fix them before we publish them more widely on<br>
<a href="http://moodle.org/security" target="_blank">http://moodle.org/security</a> in one week.<br>
<br>
To avoid leaving your site vulnerable we highly recommend you upgrade your<br>
sites to the latest Moodle version as soon as you can.<br>
<br>
If you cannot upgrade, then please check the following list carefully and patch<br>
your own system or switch off those features.<br>
<br>
Thanks, as always, to EVERYONE involved in reporting and fixing security<br>
issues. It really is a team effort and one with more and more people involved<br>
all the time.<br>
<br>
Thanks for using Moodle!<br>
<br>
Michael de Raadt<br>
Development Manager, Moodle HQ<br>
<br>
=======================================================================<br>
MSA-13-0025: Incorrect headers emitted for secured resources<br>
<br>
Description: Some files were being delivered with incorrect<br>
headers meaning they could be cached downstream.<br>
Issue summary: Incorrect headers emitted for secured resources<br>
Severity/Risk: Minor<br>
Versions affected: 2.5 to 2.5.2, 2.4 to 2.4.6, 2.3 to 2.3.9 and<br>
earlier unsupported versions<br>
Versions fixed: 2.6, 2.5.3, 2.4.7 and 2.3.10<br>
Reported by: Tony Levi<br>
Issue no.: MDL-38743, MDL-42686<br>
CVE Identifier: CVE-2013-4522<br>
Changes (master):<br>
<a href="http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38743" target="_blank">http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38743</a><br>
<br>
=======================================================================<br>
MSA-13-0026: Cross site scripting in Messages<br>
<br>
Description: JavaScript in messages was being executed on some<br>
pages.<br>
Issue summary: Cross Site Scripting in Messages<br>
Severity/Risk: Serious<br>
Versions affected: 2.5 to 2.5.2, 2.4 to 2.4.6, 2.3 to 2.3.9 and<br>
earlier unsupported versions<br>
Versions fixed: 2.6, 2.5.3, 2.4.7 and 2.3.10<br>
Reported by: Panagiotis Petasis<br>
Issue no.: MDL-41941<br>
CVE Identifier: CVE-2013-4523<br>
Workaround: Disable messages<br>
Changes (master):<br>
<a href="http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41941" target="_blank">http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41941</a><br>
<br>
=======================================================================<br>
MSA-13-0027: Access to server files through repository<br>
<br>
Description: The file system repository was allowing access<br>
to files beyond the Moodle file area.<br>
Issue summary: File System repository gives read access to the<br>
whole file system<br>
Severity/Risk: Serious<br>
Versions affected: 2.5 to 2.5.2, 2.4 to 2.4.6, 2.3 to 2.3.9 and<br>
earlier unsupported versions<br>
Versions fixed: 2.6, 2.5.3, 2.4.7 and 2.3.10<br>
Reported by: Frédéric Massart<br>
Issue no.: MDL-41807<br>
CVE Identifier: CVE-2013-4524<br>
Workaround: Do not enable File System repository (default)<br>
Changes (master):<br>
<a href="http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41807" target="_blank">http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41807</a><br>
<br>
=======================================================================<br>
MSA-13-0028: Cross site scripting in Quiz<br>
<br>
Description: JavaScript in question answers was being executed on<br>
the Quiz Results page.<br>
Issue summary: XSS on view quiz results page<br>
Severity/Risk: Serious<br>
Versions affected: 2.5 to 2.5.2, 2.4 to 2.4.6, 2.3 to 2.3.9 and<br>
earlier unsupported versions<br>
Versions fixed: 2.6, 2.5.3, 2.4.7 and 2.3.10<br>
Reported by: Michael Hess<br>
Issue no.: MDL-41820<br>
CVE Identifier: CVE-2013-4525<br>
Workaround: Avoid text-based answers in Quiz.<br>
Changes (master):<br>
<a href="http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41820" target="_blank">http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41820</a><br>
<br>
=======================================================================<br>
MSA-13-0029: Cross site scripting vulnerability in YUI library<br>
<br>
Description: Flash files distributed with the YUI library<br>
may have allowed for cross-site scripting attacks.<br>
This is additional to MSA-13-0025.<br>
Issue summary: YUI2 security vulnerability<br>
Severity/Risk: Serious<br>
Versions affected: 2.3 to 2.3.9 and earlier unsupported versions<br>
Versions fixed: 2.3.10<br>
Reported by: Petr Škoda<br>
Issue no.: MDL-42780<br>
Workaround: Remove all SWF files under the lib/yui directory.<br>
Changes (master):<br>
<a href="http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-42780" target="_blank">http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-42780</a><br>
<br>
=======================================================================<br>
--<br>
You are receiving this email because you registered a Moodle site with Moodle.org<br>
and chose to be added to this low-volume list of security notifications and other<br>
important Moodle-related announcements for Moodle administrators.<br>
<br>
To unsubscribe you can re-register your site (as above) and make sure you<br>
turn the email option OFF in the registration form. You can also send<br>
a blank email to <a href="mailto:sympa@lists.moodle.org">sympa@lists.moodle.org</a> with "unsubscribe securityalerts"<br>
as the subject (from the email address that is subscribed).<br>
<br>
See <a href="http://lists.moodle.org/info/securityalerts" target="_blank">http://lists.moodle.org/info/securityalerts</a> for more.<br>
<br>
<br>
<br>
<br>
<br>
</div><br><br clear="all"><div><br></div>-- <br><div><br></div>(503) 754-4452 Android<br>(623) 239-3392 Skype<br>(623) 688-3392 Google Voice<br>**<br><a href="http://it-clowns.com/c/" target="_blank">it-clowns.com</a><br>
Chief Clown<br><br><br><br><br><br><br><br><br><br><br><br><br><br>
</div></div>