On Thursday 24 August 2006 02:10, Jason L Tibbitts III wrote:
>>>>> "TM" == Till Maas
<opensource(a)till.name> writes:
TM> Aloa, I just noticed that moodle is not up-to-date and misses
TM> security fixes, see:
TM>
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=203844
There's not a whole lot of information in that bug report.
I see CVE-2006-3951 as being related to this. Is there something
else? Do you have a link to the moodle release information that might
supply more details?
The link to the release information is in the URL-Field of the bug report but
I added it as a comment because it is easy to overlook - I needed to search
for it though I knew it was there ;-)
Here is the information:
Changelog:
http://docs.moodle.org/en/Release_Notes#Various_fixes
----9<----
Moodle 1.5.4
21st May, 2006
(Because this release contains important security fixes, we highly advise that
sites using any previous version of Moodle upgrade to this version as soon as
possible.)
Various fixes
Security
Improved kses cleaning of html SC#204
Prevent unwanted password change here SC#225
Fix for Secunia Advisory SA18267, plus some logging of suspicious activity.
AdoDB tests cleanup after Secunia Advisory SA18267
Fixed $cfg->forceloginforprofiles logic SC#207. Backported from HEAD
---->8----
I did not look into the details.
Regards,
Till