A vulnerability in password recovery mechanism was found allowing to guess the password recovery token becasue of php randomization limitations. Affected versions are 2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier unsupported versions. Upstream patch: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50860
*** This bug has been marked as a duplicate of bug 1264861 ***