The release notes for 1.9.14 list a fix for MDL-28615, which is about a potential personal information leak in the forums. I have not been able to find the commit for that in the repository. I am looking for the commit because we generally only apply security patches in the middle of a semester and not entire point releases.
Is the fix in 1.9.14? If so, which git commit is it in?
Thanks.
Was not fixed in 1.9.x (so, bug in release notes) http://tracker.moodle.org/browse/MDL-28615?focusedCommentId=125468&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-125468
Thanks Tim. I can't follow the link because I don't have access to security-related tickets. Is a fix for 1.9.x planned?
By the way, what does it take to get access to security-related tickets?
No, a fix does not seem to be planned for 1.9.x. The key bit from that link:
"About 19_STABLE.... It seems that you only have rearranged code a bit to be able to print the nopermissions error with everything calculated. I guess you do so to rely on the checks performed by forum_search_posts() so initially I'd say it's ok but perhaps it's too much backporting (and radically different). Nah, let's be conservative, my -1 for 19_STABLE."
So, basically, since the privacy problem was very minor (in some situations you could see some people's names when you were not supposed to be able to) and the only way to fix it involved big and risky changes to the code, they decided it was not appropriate to fix on 1.9.
Who can access security tracker issues of each severity is summarised here: http://docs.moodle.org/dev/Using_Tracker#Tracker_fields
