Most partners have their ear to the ground for security issues, but we'd still like to automate this.
Currently the only place I'm aware of that you can get CVE to MSA to Tracker MDL mapping is this forum after they are released:
1) I just want all that same data in a more solid programmatic form:
|Versions affected:||3.8 to 3.8.2, 3.7 to 3.7.5, 3.6 to 3.6.9, 3.5 to 3.5.11 and earlier unsupported versions|
|Versions fixed:||3.8.3, 3.7.6, 3.6.10 and 3.5.12|
|Reported by:||Paul Holden|
|Workaround:||Disable the 'SCORM package' activity type until the patch is applied.|
|Tracker issue:||MDL-68410 Remote code execution possible via SCORM packages|
2) I think the API that moodle calls to grab the updates needs to also be aware of the presence and severity of any issues:
3) Write Check API checks for this in the security report:
3.1) This should show as a warning as soon as there is a serious security patch available which hasn't been applied. The check detail can show the MSA's and deep link to the public security forum post for that MSA.
3.2) This should show as an critical if it still hasn't been applied after some configurable period which might default to 1 week
3.3) This should show as Info if there is a minor non security patch which isn't applied
3.4) This should show as warning if there is a minor non security patch which isn't applied after some more generous time period maybe a month