http://download.moodle.org, CVS or Git


The full release notes are here:

* http://docs.moodle.org/dev/Moodle_1.9.15_release_notes
* http://docs.moodle.org/dev/Moodle_2.0.6_release_notes
* http://docs.moodle.org/dev/Moodle_2.1.3_release_notes

=======================================================================
MSA-11-0042: Information leak in Wiki

Topic: wiki leaks creator's username in history & deletion
UI
Severity/Risk: Minor
Versions affected: 2.1 to 2.1.3, 2.0 to 2.0.6 (1.9.x not affected)
Reported by: Sunner Sun
Issue no.: MDL-29191
Changes (master):
http://git.moodle.org/gw?p=moodle.git;a=commit;h=140af2a0f0a4598bf568b9ae182cb81eb583edeb

Description:
A Wiki creator's username was shown in place of their full name.

=======================================================================
MSA-11-0043: Possible link redirect in Calendar

Topic: Calendar doesn't check $returnurl is valid
Severity/Risk: Minor
Versions affected: 2.1 to 2.1.3 (2.0.x, 1.9.x not affected)
Reported by: Dan Marsden
Issue no.: MDL-28720
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-28720&sr=1

Description:
The Calendar set page was taking a full URL used for redirection without
checking if the URL is within the Moodle site.

=======================================================================
MSA-11-0044: Expired identification information shown in Web services

Topic: security key web service tokens are displayed when
the service is disabled or if the user is not
authorized any more
Severity/Risk: Minor
Versions affected: 2.1 to 2.1.3, 2.0 to 2.0.6 (1.9.x not affected)
Reported by: Jerome Mouneyrac
Issue no.: MDL-28670
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-28670&sr=1
Workaround: Do not enable then disable web services

Description:
Expired web service tokens were being displayed.

=======================================================================
MSA-11-0045: Potential to masquerade through MNet

Topic: MNET auth and "Login As" functionality
Severity/Risk: Minor
Versions affected: 2.1 to 2.1.3, 2.0 to 2.0.6, 1.9 to 1.9.15
Reported by: vickerylm
Issue no.: MDL-29977
Changes (master):
http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=10df8657c1c138c0d0ab1d4796c552fcec0c299b
Workaround: Turn off MNet or "Login as"

Description:
MNET authentication didn't prevent a user using "Login As" from jumping
to a remote MNET SSO, such as an enabled Mahara site.

=======================================================================
MSA-11-0046: Insecure authentication transmission

Topic: Change password form is sent over HTTP when
httpslogin = true
Severity/Risk: Minor
Versions affected: 1.9 to 1.9.15 (2.x not affected)
Reported by: Darragh Enright
Issue no.: MDL-29092
Changes (1.9):
http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=01dd64a8c8aa95f793accea371b2392e662663c5

Description:
When a user was entering a new password, this information was sent to
the server using an insecure transmission.

=======================================================================
MSA-11-0047: Possible injection attack in Calendar

Topic: CRLF injection/HTTP response splitting affecting
/calendar/set.php
Severity/Risk: Serious
Versions affected: 2.1 to 2.1.3, 2.0 to 2.0.6, 1.9 to 1.9.15
Reported by: David Michael Evans, German Sanchez Garces
Issue no.: MDL-29925
Changes (master):
http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=581e8dba387f090d89382115fd850d8b44351526

Description:
It was possible to take advantage of the structure of request headers
to inject information for various nefarious purposes.

=======================================================================
MSA-11-0048: Password loss issue

Topic: Password policy misconfiguration results in blank
password from password reset
Severity/Risk: Minor
Versions affected: 2.1 to 2.1.3, 2.0 to 2.0.6, 1.9 to 1.9.15
Reported by: Stephen Mc Guinness
Issue no.: MDL-29893
Changes (master):
http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=e079e82c087becf06d902089d14f3f76686bde19
Workaround: Do not set password policy length values to zero

Description:
When password policy length values (length of password, digits,
lowercase letters, etc.) are set to zero, an empty password can be
entered, but then it is not possible to change this password.

=======================================================================
MSA-11-0049: Network restriction ineffective with MNet

Topic: ip_in_range always returns true
Severity/Risk: Serious
Versions affected: 1.9 to 1.9.15 (2.x not affected)
Reported by: Patrick McNeill
Issue no.: MDL-29551
Changes (1.9):
http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=3ab2851d2a59721445945d0706c58092e07e861e
Workaround: Do not rely in IP address restriction with MNet

Description:
The effectiveness of IP address restrictions through XMLRPC was faulty
in some circumstances.

=======================================================================
MSA-11-0050: Backup capability issue

Topic: moodle/course:changeidnumber permission is ignored
when restoring a course into an existing course
Severity/Risk: Minor
Versions affected: 2.1 to 2.1.3, 2.0 to 2.0.6 (1.9.x not affected)
Reported by: Andrew Nicols
Issue no.: MDL-29591
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29591

Description:
The capability for replacing course ID numbers when restoring a course
was not being followed.

=======================================================================
MSA-11-0051: Authentication issue with Web services

Topic: webservice access tokens ignore login restrictions
Severity/Risk: Serious
Versions affected: 2.1 to 2.1.3, 2.0 to 2.0.6 (1.9.x not affected)
Reported by: Petr Škoda
Issue no.: MDL-28629
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-28629
Workaround: Turn off web services

Description:
Web services were not checking all login restrictions when
authenticating a user.

=======================================================================
MSA-11-0052: Potential to exploit developer debugging scripts

Topic: print_object in datalib.php should have some
validation to make sure it's not exploited
Severity/Risk: Minor
Versions affected: 2.1 to 2.1.3, 2.0 to 2.0.6 (1.9.x not affected)
Reported by: Rajesh Taneja
Issue no.: MDL-28947
Changes (master):
http://git.moodle.org/gw?p=moodle.git;a=commit;h=187672608ec96659e07f2461b3b83634debd16cb
Workaround: Avoid leaving debugging code behind

Description:
Developers debugging a system may output object states, and the
filtering of this output has now been strengthened.

=======================================================================
MSA-11-0053: Security and system administration conflict

Topic: CLI cron doesn't work if blockedip used
Severity/Risk: Minor
Versions affected: 2.1 to 2.1.3, 2.0 to 2.0.6 (1.9.x not affected)
Reported by: Ryan Smith
Issue no.: MDL-29396
Changes (master):
http://git.moodle.org/gw?p=moodle.git;a=commit;h=187672608ec96659e07f2461b3b83634debd16cb
Workaround: Avoid CLI or do not rely on IP blocking

Description:
The command line interface for administration was not working when IP
blocking was used. Removing blocked IPs allows the CLI to work but
reduces security.

=======================================================================
MSA-11-0054: Personal information leak

Topic: When you send a message with user/action_redir you
can see the emails although you had selected to hide
to all
Severity/Risk: Minor
Versions affected: 2.1 to 2.1.3, 2.0 to 2.0.6, 1.9 to 1.9.15
Reported by: Fernando Graells
Issue no.: MDL-20627
Changes (master):
http://git.moodle.org/gw?p=moodle.git;a=commit;h=187672608ec96659e07f2461b3b83634debd16cb