Moodle 2.9, 2.8.6, 2.7.8 and 2.6.11 are now available
(Moodle 2.9, 2.8.6, 2.7.8 y 2.6.11 están disponibles)
UN MENSAJE PARA REGISTRADOS ADMINISTRADORES DE MOODLE
- Moodle 2.9 notas de liberación
- Moodle 2.8.6 notas de la versión
- Moodle 2.7.8 notas de la versión
- Moodle 2.6.11 notas de liberación
PROBLEMAS DE SEGURIDAD
GRACIAS
Desarrollo Process Manager, Moodle HQ
================================================== ============================
MSA-15-0018: Cuestionario manual de clasificación es un riesgo XSS, pero no declara que
Descripción: Dejar la regeneración libro de calificaciones es una acción de confianza y tal
capacidades en otros módulos ya tienen máscara XSS,
'Mod / quiz: grado' faltaba esta bandera.
Resumen Edición: Cuestionario manual de clasificación es un riesgo XSS, pero no declara
que
Severidad / Riesgo: Menor
Versiones afectadas: 2.8 a 2.8.5, 2.7 a 2.7.7, 2.6 a 2.6.10 y anteriores
versiones sin soporte
Versiones fijas: 2.9, 2.8.6, 2.7.8 y 2.6.11
Reportado por: Hugh Davenport
Emitir no .: MDL-49941
CVE identificador: CVE-2015-3174
Cambios (maestro): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49941
================================================== ============================
MSA-15-0019: Posible phishing al redirigir al sitio externo utilizando árbitro
encabezamiento
Descripción: Algunos mensajes de error en pantalla Moodle botón para volver a
pagina anterior. Redirigir a árbitro no local no debe
ser permitido ya que potencialmente se puede utilizar para phising.
Resumen Edición: get_referer () se utiliza con redirección () puede ser insegura
Severidad / Riesgo: Menor
Versiones afectadas: 2.8 a 2.8.5, 2.7 a 2.7.7, 2.6 a 2.6.10 y anteriores
versiones sin soporte
Versiones fijas: 2.9, 2.8.6, 2.7.8 y 2.6.11
Reportado por: Dingjie Yang
Emitir no .: MDL-49179
CVE identificador: CVE-2015-3175
Cambios (maestro): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49179
================================================== ============================
MSA-15-0020: nombre completo del usuario a través de la divulgación cuenta enlace de confirmación
Descripción: En los sitios con auto-registro habilitado no registrada
los usuarios pueden recuperar nombre completo de los usuarios registrados saber
sus nombres de usuario
Resumen Edición: nombre completo del usuario a través de la divulgación cuenta enlace de confirmación
Severidad / Riesgo: Graves
Versiones afectadas: 2.8 a 2.8.5, 2.7 a 2.7.7, 2.6 a 2.6.10 y anteriores
versiones sin soporte
Versiones fijas: 2.9, 2.8.6, 2.7.8 y 2.6.11
Reportado por: Federico Kirschbaum
Emitir no .: MDL-50099
Solución: Incluso parche parcial (eliminación de una línea en
/login/confirm.php) también resolverá problema de seguridad
CVE identificador: CVE-2015-3176
Cambios (maestro): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50099
================================================== ============================
MSA-15-0021: Cualquier usuario autenticado puede suscribirse al monitor de eventos en todo el sitio
reglas
Descripción: Si se cumplen las normas en todo el sitio en la herramienta de monitor de eventos, cualquier
usuario puede suscribirse a ellos mismos y, potencialmente,
acceso a la información que no se supone que ver.
Resumen Edición: Cualquier usuario autenticado puede suscribirse a gran acontecimiento sitio
reglas del monitor
Severidad / Riesgo: Menor
Versiones afectadas: 2.8 a 2.8.5
Versiones fijas: 2.9 y 2.8.6
Reportado por: Adrian Greeve
Emitir no .: MDL-50039
Solución: No utilice reglas de todo el sitio hasta que su sitio se actualiza
CVE identificador: CVE-2015-3177
Cambios (maestro): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50039
================================================== ============================
MSA-15-0022: Riesgo potencial XSS cuando el texto volviendo entró por estudiante de
Servicios Web
Descripción: Si el usuario que no es de confianza-XSS intentos para insertar el XSS
como parte del texto de entrada, que se limpia cuando
que aparece en el sitio web de Moodle pero puede aparecer sin limpiar
en la aplicación externa
Resumen Edición: external_format_text () limpia y formatos de texto de forma incorrecta
Severidad / Riesgo: Graves
Versiones afectadas: 2.8 a 2.8.5, 2.7 a 2.7.7, 2.6 a 2.6.10 y anteriores
versiones sin soporte
Versiones fijas: 2.9, 2.8.6, 2.7.8 y 2.6.11
Reportado por: Eloy Lafuente
Emitir no .: MDL-49718
CVE identificador: CVE-2015-3178
Cambios (maestro): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49718
================================================== ============================
MSA-15 hasta 0023: el usuario suspendido es capaz de acceder al confirmar correo electrónico
Descripción: Cuando la auto-registro está habilitada y la cuenta de usuario era
suspendida después de crear la cuenta, pero antes de que realmente
confirmando que, el usuario todavía es capaz de acceder al confirmar
correo electrónico, pero sólo una vez.
Resumen Edición: usuario suspendido es capaz de acceder al confirmar correo electrónico
Severidad / Riesgo: Menor
Versiones afectadas: 2.8 a 2.8.5, 2.7 a 2.7.7, 2.6 a 2.6.10 y anteriores
versiones sin soporte
Versiones fijas: 2.9, 2.8.6, 2.7.8 y 2.6.11
Reportado por: Marina Glancy
Emitir no .: MDL-50090
CVE identificador: CVE-2015-3179
Cambios (maestro): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50090
================================================== ============================
MSA-15-0024: El usuario con la matrícula suspendida puede ver secciones de la navegación
árbol
Descripción: Si un usuario está inscrito en el curso pero su matrícula es
suspendido, que no pueden acceder al curso, pero aún eran
capaz de ver la estructura del curso en el bloque de navegación
Resumen Problema: El usuario con la matrícula suspendida puede ver secciones de la
árbol de navegación
Severidad / Riesgo: Menor
Versiones afectadas: 2.8 a 2.8.5, 2.7 a 2.7.7, 2.6 a 2.6.10 y anteriores
versiones sin soporte
Versiones fijas: 2.9, 2.8.6, 2.7.8 y 2.6.11
Reportado por: Alex Mitin
Emitir no .: MDL-49788
CVE identificador: CVE-2015-3180
Cambios (maestro): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49788
================================================== ============================
MSA-15-0025: Capacidad para gestionar archivos propios no se respeta en la Web
Servicios
Descripción: Los usuarios con la capacidad revocado
'Moodle / user: manageownfiles "son todavía capaces de cargar
archivos privados que utilizan la función obsoleto en Servicios Web
Resumen Problema: Los usuarios con las manageownfiles discapacitados son capaces de cargar
archivos privados a través de Web Services
Severidad / Riesgo: Menor
Versiones afectadas: 2.8 a 2.8.5, 2.7 a 2.7.7, 2.6 a 2.6.10 y anteriores
versiones sin soporte
Versiones fijas: 2.9, 2.8.6, 2.7.8 y 2.6.11
Reportado por: Juan Leyva
Emitir no .: MDL-49994
CVE identificador: CVE-2015-3181
Cambios (maestro): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49994
================================================== ============================
A Message for Registered Moodle Administrators
This email is going out to many thousands of registered Moodle admins. You are receiving this email because you asked for Moodle security news when you registered a Moodle site. If you don’t want these emails then please re-register your site with your new preferences or use the unsubscribe link below. Replies to this email will not be read.
I’m writing today to let you know that Moodle 2.9, 2.8.6, 2.7.8 and 2.6.11 are available via the usual open download channels: http://download.moodle.org or Git.
Note that the 2.7 branch from now on is supported for security fixes only untill May 2017 and 2.6 branch is no longer supported.
Release notes are available for each new version.
- Moodle 2.9 release notes
- Moodle 2.8.6 release notes
- Moodle 2.7.8 release notes
- Moodle 2.6.11 release notes
Security Issues
As well as a long list of bug fixes, performance improvements and polishing, there are security issues you should be aware of. Details of these security issues are listed below.
As a registered Moodle admin we are giving you advance notice of these issues so you have some time to fix them before we publish them more widely on http://moodle.org/security in one week.
To avoid leaving your site vulnerable, we highly recommend you upgrade your sites to the latest Moodle version as soon as you can. If you cannot upgrade, then please check the following list carefully and patch your own system or switch off those features.
Thanks
Thanks, as always, to EVERYONE involved in reporting and fixing issues. It really is a team effort and one with more and more people involved all the time.
Thanks for using Moodle and being part of the Moodle open source community.
Marina Glancy
Development Process Manager, Moodle HQ
==============================================================================
MSA-15-0018: Quiz manual-grading is an XSS risk, but does not declare that
Description: Leaving gradebook feedback is a trusted action and such
capabilities in other modules already have XSS mask,
'mod/quiz:grade' was missing this flag.
Issue summary: Quiz manual-grading is an XSS risk, but does not declare
that
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier
unsupported versions
Versions fixed: 2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by: Hugh Davenport
Issue no.: MDL-49941
CVE identifier: CVE-2015-3174
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49941
==============================================================================
MSA-15-0019: Possible phishing when redirecting to external site using referer
header
Description: Some error messages in Moodle display button to return to
previous page. Redirecting to non-local referer should not
be allowed as it can potentially be used for phising.
Issue summary: get_referer() used with redirect() can be insecure
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier
unsupported versions
Versions fixed: 2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by: Dingjie Yang
Issue no.: MDL-49179
CVE identifier: CVE-2015-3175
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49179
==============================================================================
MSA-15-0020: User fullname disclosure through account confirmation link
Description: On the sites with enabled self-registration not registered
users can retrieve fullname of registered users knowing
their usernames
Issue summary: User fullname disclosure through account confirmation link
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier
unsupported versions
Versions fixed: 2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by: Federico Kirschbaum
Issue no.: MDL-50099
Workaround: Even partial patch (removing one line in
/login/confirm.php) will also resolve security issue
CVE identifier: CVE-2015-3176
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50099
==============================================================================
MSA-15-0021: Any authenticated user can subscribe to site-wide event monitor
rules
Description: If the site-wide rules exist in the event monitor tool, any
user can subscribe themselves to them and potentially
access information they are not supposed to see.
Issue summary: Any authenticated user can subscribe to site wide event
monitor rules
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.5
Versions fixed: 2.9 and 2.8.6
Reported by: Adrian Greeve
Issue no.: MDL-50039
Workaround: Do not use site-wide rules until your site is upgraded
CVE identifier: CVE-2015-3177
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50039
==============================================================================
MSA-15-0022: Potential XSS risk when returning text entered by student from
Web Services
Description: If user who is not XSS-trusted attempts to insert the XSS
as part of the input text, it will be cleaned when
displayed on Moodle website but may be displayed uncleaned
in the external application
Issue summary: external_format_text() cleans and formats text incorrectly
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier
unsupported versions
Versions fixed: 2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by: Eloy Lafuente
Issue no.: MDL-49718
CVE identifier: CVE-2015-3178
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49718
==============================================================================
MSA-15-0023: Suspended user is able to login when confirming email
Description: When self-registration is enabled and user's account was
suspended after creating account but before actually
confirming it, user is still able to login when confirming
email but only once.
Issue summary: Suspended user is able to login when confirming email
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier
unsupported versions
Versions fixed: 2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by: Marina Glancy
Issue no.: MDL-50090
CVE identifier: CVE-2015-3179
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50090
==============================================================================
MSA-15-0024: User with suspended enrolment can see sections in the navigation
tree
Description: If a user is enrolled in the course but his enrollment is
suspended, they can not access the course but still were
able to see course structure in the navigation block
Issue summary: User with suspended enrolment can see sections in the
navigation tree
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier
unsupported versions
Versions fixed: 2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by: Alex Mitin
Issue no.: MDL-49788
CVE identifier: CVE-2015-3180
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49788
==============================================================================
MSA-15-0025: Capability to manage own files is not respected in Web
Services
Description: Users with the revoked capability
'moodle/user:manageownfiles' are still able to upload
private files using deprecated function in Web Services
Issue summary: Users with the manageownfiles disabled are able to upload
private files via Web Services
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier
unsupported versions
Versions fixed: 2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by: Juan Leyva
Issue no.: MDL-49994
CVE identifier: CVE-2015-3181
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49994
==============================================================================