Merge pull request #1382 from mickhawkins/main

andrewnicols · web-flow · commit 4bcac0269852 · 2025-06-23T22:49:28.000Z
[docs] Add security announcements to 5.0.1 and friends
diff --git a/general/releases/4.1/4.1.19.md b/general/releases/4.1/4.1.19.md
@@ -18,5 +18,12 @@ import { ReleaseNoteIntro } from '@site/src/components/ReleaseInformation';
 <!-- cspell:enable -->
 
 ## Security fixes
-
-A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version.
+<!-- cspell:disable -->
+- [MSA-25-0030](https://moodle.org/mod/forum/discuss.php?d=468501) - Password can be revealed in login page after log out due to caching
+- [MSA-25-0031](https://moodle.org/mod/forum/discuss.php?d=468502) - Upgrade ADOdb including security fix (upstream)
+- [MSA-25-0032](https://moodle.org/mod/forum/discuss.php?d=468503) - SSRF risk via DNS rebind
+- [MSA-25-0033](https://moodle.org/mod/forum/discuss.php?d=468504) - Course visibility not honoured consistently
+- [MSA-25-0034](https://moodle.org/mod/forum/discuss.php?d=468505) - CSRF risk in badges backpack management
+- [MSA-25-0035](https://moodle.org/mod/forum/discuss.php?d=468506) - Missing authorisation checks in BigBlueButton view page
+- [MSA-25-0036](https://moodle.org/mod/forum/discuss.php?d=468507) - IDOR allows fetching of recently accessed courses for other users via web service
+<!-- cspell:enable -->
diff --git a/general/releases/4.4/4.4.9.md b/general/releases/4.4/4.4.9.md
@@ -39,5 +39,12 @@ import { ReleaseNoteIntro } from '@site/src/components/ReleaseInformation';
 <!-- cspell:enable -->
 
 ## Security fixes
-
-A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version.
+<!-- cspell:disable -->
+- [MSA-25-0030](https://moodle.org/mod/forum/discuss.php?d=468501) - Password can be revealed in login page after log out due to caching
+- [MSA-25-0031](https://moodle.org/mod/forum/discuss.php?d=468502) - Upgrade ADOdb including security fix (upstream)
+- [MSA-25-0032](https://moodle.org/mod/forum/discuss.php?d=468503) - SSRF risk via DNS rebind
+- [MSA-25-0033](https://moodle.org/mod/forum/discuss.php?d=468504) - Course visibility not honoured consistently
+- [MSA-25-0034](https://moodle.org/mod/forum/discuss.php?d=468505) - CSRF risk in badges backpack management
+- [MSA-25-0035](https://moodle.org/mod/forum/discuss.php?d=468506) - Missing authorisation checks in BigBlueButton view page
+- [MSA-25-0036](https://moodle.org/mod/forum/discuss.php?d=468507) - IDOR allows fetching of recently accessed courses for other users via web service
+<!-- cspell:enable -->
diff --git a/general/releases/4.5/4.5.5.md b/general/releases/4.5/4.5.5.md
@@ -83,5 +83,12 @@ import { ReleaseNoteIntro } from '@site/src/components/ReleaseInformation';
 <!-- cspell:enable -->
 
 ## Security fixes
-
-A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version.
+<!-- cspell:disable -->
+- [MSA-25-0030](https://moodle.org/mod/forum/discuss.php?d=468501) - Password can be revealed in login page after log out due to caching
+- [MSA-25-0031](https://moodle.org/mod/forum/discuss.php?d=468502) - Upgrade ADOdb including security fix (upstream)
+- [MSA-25-0032](https://moodle.org/mod/forum/discuss.php?d=468503) - SSRF risk via DNS rebind
+- [MSA-25-0033](https://moodle.org/mod/forum/discuss.php?d=468504) - Course visibility not honoured consistently
+- [MSA-25-0034](https://moodle.org/mod/forum/discuss.php?d=468505) - CSRF risk in badges backpack management
+- [MSA-25-0035](https://moodle.org/mod/forum/discuss.php?d=468506) - Missing authorisation checks in BigBlueButton view page
+- [MSA-25-0036](https://moodle.org/mod/forum/discuss.php?d=468507) - IDOR allows fetching of recently accessed courses for other users via web service
+<!-- cspell:enable -->
diff --git a/general/releases/5.0/5.0.1.md b/general/releases/5.0/5.0.1.md
@@ -92,5 +92,13 @@ import { ReleaseNoteIntro } from '@site/src/components/ReleaseInformation';
 <!-- cspell:enable -->
 
 ## Security fixes
-
-A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version.
+<!-- cspell:disable -->
+- [MSA-25-0029](https://moodle.org/mod/forum/discuss.php?d=468500) - XSS risk in MathJax (safe extension not loaded)
+- [MSA-25-0030](https://moodle.org/mod/forum/discuss.php?d=468501) - Password can be revealed in login page after log out due to caching
+- [MSA-25-0031](https://moodle.org/mod/forum/discuss.php?d=468502) - Upgrade ADOdb including security fix (upstream)
+- [MSA-25-0032](https://moodle.org/mod/forum/discuss.php?d=468503) - SSRF risk via DNS rebind
+- [MSA-25-0033](https://moodle.org/mod/forum/discuss.php?d=468504) - Course visibility not honoured consistently
+- [MSA-25-0034](https://moodle.org/mod/forum/discuss.php?d=468505) - CSRF risk in badges backpack management
+- [MSA-25-0035](https://moodle.org/mod/forum/discuss.php?d=468506) - Missing authorisation checks in BigBlueButton view page
+- [MSA-25-0036](https://moodle.org/mod/forum/discuss.php?d=468507) - IDOR allows fetching of recently accessed courses for other users via web service
+<!-- cspell:enable -->
