From d4834d8050bc62e4108edec14fffed76c761811e Mon Sep 17 00:00:00 2001
From: Michael Hawkins <michaelh@moodle.com>
Date: Mon, 19 Aug 2024 20:17:29 +0800
Subject: [PATCH] [docs] Add security announcements to 4.4.2 and friends

---
 general/releases/4.1/4.1.12.md | 18 ++++++++++++++++--
 general/releases/4.2/4.2.9.md  | 18 ++++++++++++++++--
 general/releases/4.3/4.3.6.md  | 19 +++++++++++++++++--
 general/releases/4.4/4.4.2.md  | 20 ++++++++++++++++++--
 4 files changed, 67 insertions(+), 8 deletions(-)

diff --git a/general/releases/4.1/4.1.12.md b/general/releases/4.1/4.1.12.md
index 689796bcf4..18d7e32203 100644
--- a/general/releases/4.1/4.1.12.md
+++ b/general/releases/4.1/4.1.12.md
@@ -32,5 +32,19 @@ import { ReleaseNoteIntro } from '@site/src/components/ReleaseInformation';
 <!-- cspell:enable -->
 
 ## Security fixes
-
-A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version.
+<!-- cspell:disable -->
+- [MSA-24-0026](https://moodle.org/mod/forum/discuss.php?d=461193) - Remote code execution via calculated question types
+- [MSA-24-0027](https://moodle.org/mod/forum/discuss.php?d=461194) - Arbitrary file read risk through pdfTeX
+- [MSA-24-0028](https://moodle.org/mod/forum/discuss.php?d=461195) - Admin presets export tool includes some secrets that should not be exported
+- [MSA-24-0029](https://moodle.org/mod/forum/discuss.php?d=461196) - Cache poisoning via injection into storage
+- [MSA-24-0030](https://moodle.org/mod/forum/discuss.php?d=461197) - User information visibility control issues in gradebook reports
+- [MSA-24-0032](https://moodle.org/mod/forum/discuss.php?d=461199) - IDOR in badges allows deletion of arbitrary badges
+- [MSA-24-0033](https://moodle.org/mod/forum/discuss.php?d=461200) - Authorization headers preserved between "emulated redirects"
+- [MSA-24-0035](https://moodle.org/mod/forum/discuss.php?d=461203) - CSRF risk in Feedback non-respondents report
+- [MSA-24-0036](https://moodle.org/mod/forum/discuss.php?d=461205) - Can create global glossary without being admin
+- [MSA-24-0037](https://moodle.org/mod/forum/discuss.php?d=461206) - Site administration SQL injection via XMLDB editor
+- [MSA-24-0038](https://moodle.org/mod/forum/discuss.php?d=461207) - XSS risk when restoring malicious course backup file
+- [MSA-24-0039](https://moodle.org/mod/forum/discuss.php?d=461208) - IDOR in Feedback non-respondents report allows messaging arbitrary site users
+- [MSA-24-0040](https://moodle.org/mod/forum/discuss.php?d=461209) - Reflected XSS via H5P error message
+- [MSA-24-0041](https://moodle.org/mod/forum/discuss.php?d=461210) - LFI vulnerability when restoring malformed block backups
+<!-- cspell:enable -->
diff --git a/general/releases/4.2/4.2.9.md b/general/releases/4.2/4.2.9.md
index 5fa9e0b141..9af009c0fa 100644
--- a/general/releases/4.2/4.2.9.md
+++ b/general/releases/4.2/4.2.9.md
@@ -30,5 +30,19 @@ import { ReleaseNoteIntro } from '@site/src/components/ReleaseInformation';
 <!-- cspell:enable -->
 
 ## Security fixes
-
-A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version.
+<!-- cspell:disable -->
+- [MSA-24-0026](https://moodle.org/mod/forum/discuss.php?d=461193) - Remote code execution via calculated question types
+- [MSA-24-0027](https://moodle.org/mod/forum/discuss.php?d=461194) - Arbitrary file read risk through pdfTeX
+- [MSA-24-0028](https://moodle.org/mod/forum/discuss.php?d=461195) - Admin presets export tool includes some secrets that should not be exported
+- [MSA-24-0029](https://moodle.org/mod/forum/discuss.php?d=461196) - Cache poisoning via injection into storage
+- [MSA-24-0030](https://moodle.org/mod/forum/discuss.php?d=461197) - User information visibility control issues in gradebook reports
+- [MSA-24-0032](https://moodle.org/mod/forum/discuss.php?d=461199) - IDOR in badges allows deletion of arbitrary badges
+- [MSA-24-0033](https://moodle.org/mod/forum/discuss.php?d=461200) - Authorization headers preserved between "emulated redirects"
+- [MSA-24-0035](https://moodle.org/mod/forum/discuss.php?d=461203) - CSRF risk in Feedback non-respondents report
+- [MSA-24-0036](https://moodle.org/mod/forum/discuss.php?d=461205) - Can create global glossary without being admin
+- [MSA-24-0037](https://moodle.org/mod/forum/discuss.php?d=461206) - Site administration SQL injection via XMLDB editor
+- [MSA-24-0038](https://moodle.org/mod/forum/discuss.php?d=461207) - XSS risk when restoring malicious course backup file
+- [MSA-24-0039](https://moodle.org/mod/forum/discuss.php?d=461208) - IDOR in Feedback non-respondents report allows messaging arbitrary site users
+- [MSA-24-0040](https://moodle.org/mod/forum/discuss.php?d=461209) - Reflected XSS via H5P error message
+- [MSA-24-0041](https://moodle.org/mod/forum/discuss.php?d=461210) - LFI vulnerability when restoring malformed block backups
+<!-- cspell:enable -->
diff --git a/general/releases/4.3/4.3.6.md b/general/releases/4.3/4.3.6.md
index 2fe9e33cf1..9a0a505589 100644
--- a/general/releases/4.3/4.3.6.md
+++ b/general/releases/4.3/4.3.6.md
@@ -95,5 +95,20 @@ import { ReleaseNoteIntro } from '@site/src/components/ReleaseInformation';
 <!-- cspell:enable -->
 
 ## Security fixes
-
-A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version.
+<!-- cspell:disable -->
+- [MSA-24-0026](https://moodle.org/mod/forum/discuss.php?d=461193) - Remote code execution via calculated question types
+- [MSA-24-0027](https://moodle.org/mod/forum/discuss.php?d=461194) - Arbitrary file read risk through pdfTeX
+- [MSA-24-0028](https://moodle.org/mod/forum/discuss.php?d=461195) - Admin presets export tool includes some secrets that should not be exported
+- [MSA-24-0029](https://moodle.org/mod/forum/discuss.php?d=461196) - Cache poisoning via injection into storage
+- [MSA-24-0030](https://moodle.org/mod/forum/discuss.php?d=461197) - User information visibility control issues in gradebook reports
+- [MSA-24-0032](https://moodle.org/mod/forum/discuss.php?d=461199) - IDOR in badges allows deletion of arbitrary badges
+- [MSA-24-0033](https://moodle.org/mod/forum/discuss.php?d=461200) - Authorization headers preserved between "emulated redirects"
+- [MSA-24-0034](https://moodle.org/mod/forum/discuss.php?d=461202) - Matrix user/power level management not always working as expected with suspended users
+- [MSA-24-0035](https://moodle.org/mod/forum/discuss.php?d=461203) - CSRF risk in Feedback non-respondents report
+- [MSA-24-0036](https://moodle.org/mod/forum/discuss.php?d=461205) - Can create global glossary without being admin
+- [MSA-24-0037](https://moodle.org/mod/forum/discuss.php?d=461206) - Site administration SQL injection via XMLDB editor
+- [MSA-24-0038](https://moodle.org/mod/forum/discuss.php?d=461207) - XSS risk when restoring malicious course backup file
+- [MSA-24-0039](https://moodle.org/mod/forum/discuss.php?d=461208) - IDOR in Feedback non-respondents report allows messaging arbitrary site users
+- [MSA-24-0040](https://moodle.org/mod/forum/discuss.php?d=461209) - Reflected XSS via H5P error message
+- [MSA-24-0041](https://moodle.org/mod/forum/discuss.php?d=461210) - LFI vulnerability when restoring malformed block backups
+<!-- cspell:enable -->
diff --git a/general/releases/4.4/4.4.2.md b/general/releases/4.4/4.4.2.md
index 79bbe9e4e4..b1df32bb65 100644
--- a/general/releases/4.4/4.4.2.md
+++ b/general/releases/4.4/4.4.2.md
@@ -104,5 +104,21 @@ import { ReleaseNoteIntro } from '@site/src/components/ReleaseInformation';
 <!-- cspell:enable -->
 
 ## Security fixes
-
-A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version.
+<!-- cspell:disable -->
+- [MSA-24-0026](https://moodle.org/mod/forum/discuss.php?d=461193) - Remote code execution via calculated question types
+- [MSA-24-0027](https://moodle.org/mod/forum/discuss.php?d=461194) - Arbitrary file read risk through pdfTeX
+- [MSA-24-0028](https://moodle.org/mod/forum/discuss.php?d=461195) - Admin presets export tool includes some secrets that should not be exported
+- [MSA-24-0029](https://moodle.org/mod/forum/discuss.php?d=461196) - Cache poisoning via injection into storage
+- [MSA-24-0030](https://moodle.org/mod/forum/discuss.php?d=461197) - User information visibility control issues in gradebook reports
+- [MSA-24-0031](https://moodle.org/mod/forum/discuss.php?d=461198) - Lack of access control when using external methods for Quiz overrides
+- [MSA-24-0032](https://moodle.org/mod/forum/discuss.php?d=461199) - IDOR in badges allows deletion of arbitrary badges
+- [MSA-24-0033](https://moodle.org/mod/forum/discuss.php?d=461200) - Authorization headers preserved between "emulated redirects"
+- [MSA-24-0034](https://moodle.org/mod/forum/discuss.php?d=461202) - Matrix user/power level management not always working as expected with suspended users
+- [MSA-24-0035](https://moodle.org/mod/forum/discuss.php?d=461203) - CSRF risk in Feedback non-respondents report
+- [MSA-24-0036](https://moodle.org/mod/forum/discuss.php?d=461205) - Can create global glossary without being admin
+- [MSA-24-0037](https://moodle.org/mod/forum/discuss.php?d=461206) - Site administration SQL injection via XMLDB editor
+- [MSA-24-0038](https://moodle.org/mod/forum/discuss.php?d=461207) - XSS risk when restoring malicious course backup file
+- [MSA-24-0039](https://moodle.org/mod/forum/discuss.php?d=461208) - IDOR in Feedback non-respondents report allows messaging arbitrary site users
+- [MSA-24-0040](https://moodle.org/mod/forum/discuss.php?d=461209) - Reflected XSS via H5P error message
+- [MSA-24-0041](https://moodle.org/mod/forum/discuss.php?d=461210) - LFI vulnerability when restoring malformed block backups
+<!-- cspell:enable -->