Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.0885 MSA-19-0009: get_with_capability_join/get_users_by_capability not aware of context freezing 19 March 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Moodle Publisher: Moodle Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-3852 Original Bulletin: https://moodle.org/mod/forum/discuss.php?d=384015&parent=1547748 - --------------------------BEGIN INCLUDED TEXT-------------------- MSA-19-0009: get_with_capability_join/get_users_by_capability not aware of context freezing Tuesday, 19 March 2019, 11:17 AM get_with_capability_join and get_users_by_capability were not taking context freezing into account when checking user capabilities Severity/Risk: Minor Versions affected: 3.6 to 3.6.2 Versions fixed: 3.6.3 Reported by: Andrew Nicols CVE identifier: CVE-2019-3852 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64410 Tracker issue: MDL-64410 get_with_capability_join/get_users_by_capability not aware of context freezing - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXJCW3GaOgq3Tt24GAQgc4g/9FjYw9KPJY0/5OHYlK2Crnc90oa41Gi7q 00yxfcjVhxDC2etpjaZtaD91f9g0fKfhFmiPMWuFhQKa+0n2wXHKUBNGfXxLctGT jAICuUqs5zExYI99I3K6zDk/NmV6V2Pvr97QHC5ypCevNBD0pAeQ2QQbFLxdxTmN Zvjmbw0aV8EGYLQz9NTD1mL/vpTEjR2jKsRLlJ1KKBY4q7FcJ1rVPnLCfHWxE7Qo Sp16EsSceIbzOwGWf+dxXiZAiDliCl9MuK4hj7P1/6OZQMb9kww0RrGUdlAwKogd 4a9rwHcV0yaSRr1mwRkxRJ9CV+XnuwItFM0EZefeJKhLkIR+O8EPKONOmQztDolz zvfOKPR/MLfP1mCDQWl3eGGFRfFBN4KZjlzObEAG4KmbM22sPYyYLCGz05LVh3oE vnr4y2/mu2U5S/4WxS9karT0MpEuh4sQgfUCuJLlNWZD+hyvugtWcV5M1tdZCoSo R93mxv6g5vH/XXi+Fhlitb0VX/D4gfSahjK9dZQByUQxtOgwIyM7snlQiJ2MYRh9 MITyrBLtT82lA7bwyPRZ6amBLXpLPO0eD8G/krdeZp+Ax+o1XU//szODVzRNN5TD VTDHiXWV7/2/rR37iA4oiey0wZuPMQjmG7stw3y8/kcClW9tFDJn2IMAE2ria8mr 3K0mDNUSOAA= =zcrD -----END PGP SIGNATURE-----