[Plug-security] Fwd: [securityalerts] Moodle 2.5.3, 2.4.7 and 2.3.10 are now available

Lisa Kachold lisakachold at obnosis.com
Wed Nov 13 21:59:33 MST 2013 

FYI

Moodle Security

---------- Forwarded message ----------
From: <michaeld at moodle.com>
Date: Wed, Nov 13, 2013 at 9:21 PM
Subject: [securityalerts] Moodle 2.5.3, 2.4.7 and 2.3.10 are now available
To: securityalerts at lists.moodle.org


Hello registered Moodle Admins!

(This email is going out to over 94,000 registered Moodle admins. You are
receiving this email because you asked for Moodle security news when you
registered a Moodle site. If you don't want these emails then see the very
end
of this email for info about unsubscribing. Replies to this email will not
be
read.)

I'm writing today to let you know that Moodle 2.5.3, 2.4.7 and 2.3.10 are
available via the usual open download channels (http://download.moodle.org
or Git).

Note the 2.3 branch is now supported for security fixes only.

The full release notes are here:

http://docs.moodle.org/dev/Moodle_2.5.3_release_notes
http://docs.moodle.org/dev/Moodle_2.4.7_release_notes
http://docs.moodle.org/dev/Moodle_2.3.10_release_notes

The release of Moodle 2.6 has been delayed until early next week.

SECURITY ISSUES

As well as a long list of bug fixes, performance improvements and polishing,
there are 5 security issues you should be aware of. Details of these
security
issues are listed below.

As a registered Moodle admin we are giving you advance notice of these
issues
so you have some time to fix them before we publish them more widely on
http://moodle.org/security in one week.

To avoid leaving your site vulnerable we highly recommend you upgrade your
sites to the latest Moodle version as soon as you can.

If you cannot upgrade, then please check the following list carefully and
patch
your own system or switch off those features.

Thanks, as always, to EVERYONE involved in reporting and fixing security
issues. It really is a team effort and one with more and more people
involved
all the time.

Thanks for using Moodle!

Michael de Raadt
Development Manager, Moodle HQ

=======================================================================
MSA-13-0025: Incorrect headers emitted for secured resources

Description:       Some files were being delivered with incorrect
                   headers meaning they could be cached downstream.
Issue summary:     Incorrect headers emitted for secured resources
Severity/Risk:     Minor
Versions affected: 2.5 to 2.5.2, 2.4 to 2.4.6, 2.3 to 2.3.9 and
                   earlier unsupported versions
Versions fixed:    2.6, 2.5.3, 2.4.7 and 2.3.10
Reported by:       Tony Levi
Issue no.:         MDL-38743, MDL-42686
CVE Identifier:    CVE-2013-4522
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38743

=======================================================================
MSA-13-0026: Cross site scripting in Messages

Description:       JavaScript in messages was being executed on some
                   pages.
Issue summary:     Cross Site Scripting in Messages
Severity/Risk:     Serious
Versions affected: 2.5 to 2.5.2, 2.4 to 2.4.6, 2.3 to 2.3.9 and
                   earlier unsupported versions
Versions fixed:    2.6, 2.5.3, 2.4.7 and 2.3.10
Reported by:       Panagiotis Petasis
Issue no.:         MDL-41941
CVE Identifier:    CVE-2013-4523
Workaround:        Disable messages
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41941

=======================================================================
MSA-13-0027: Access to server files through repository

Description:       The file system repository was allowing access
                   to files beyond the Moodle file area.
Issue summary:     File System repository gives read access to the
                   whole file system
Severity/Risk:     Serious
Versions affected: 2.5 to 2.5.2, 2.4 to 2.4.6, 2.3 to 2.3.9 and
                   earlier unsupported versions
Versions fixed:    2.6, 2.5.3, 2.4.7 and 2.3.10
Reported by:       Frédéric Massart
Issue no.:         MDL-41807
CVE Identifier:    CVE-2013-4524
Workaround:        Do not enable File System repository (default)
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41807

=======================================================================
MSA-13-0028: Cross site scripting in Quiz

Description:       JavaScript in question answers was being executed on
                   the Quiz Results page.
Issue summary:     XSS on view quiz results page
Severity/Risk:     Serious
Versions affected: 2.5 to 2.5.2, 2.4 to 2.4.6, 2.3 to 2.3.9 and
                   earlier unsupported versions
Versions fixed:    2.6, 2.5.3, 2.4.7 and 2.3.10
Reported by:       Michael Hess
Issue no.:         MDL-41820
CVE Identifier:    CVE-2013-4525
Workaround:        Avoid text-based answers in Quiz.
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41820

=======================================================================
MSA-13-0029: Cross site scripting vulnerability in YUI library

Description:       Flash files distributed with the YUI library
                   may have allowed for cross-site scripting attacks.
                   This is additional to MSA-13-0025.
Issue summary:     YUI2 security vulnerability
Severity/Risk:     Serious
Versions affected: 2.3 to 2.3.9 and earlier unsupported versions
Versions fixed:    2.3.10
Reported by:       Petr Škoda
Issue no.:         MDL-42780
Workaround:        Remove all SWF files under the lib/yui directory.
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-42780

=======================================================================
--
You are receiving this email because you registered a Moodle site with
Moodle.org
and chose to be added to this low-volume list of security notifications and
other
important Moodle-related announcements for Moodle administrators.

To unsubscribe you can re-register your site (as above) and make sure you
turn the email option OFF in the registration form.  You can also send
a blank email to sympa at lists.moodle.org with "unsubscribe securityalerts"
as the subject (from the email address that is subscribed).

See http://lists.moodle.org/info/securityalerts for more.








-- 

(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
it-clowns.com <http://it-clowns.com/c/>
Chief Clown
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-security/attachments/20131113/e38066e8/attachment.html>

More information about the Plug-security mailing list