Two flaws were reported [1],[2] in moodle versions < 2.0.4 and < 2.1.1 (1.9.x is not affected): moodle_enrol_external:role_assign() does not obey role assignment restrictions (MSA-11-0021) The course creator role has incorrect default permissions (MSA-11-0022) [1] http://moodle.org/mod/forum/discuss.php?d=182738 [2] http://moodle.org/mod/forum/discuss.php?d=182739 Recommend upgrading EPEL6 and Fedora 16/rawhide to 2.0.4. Earlier versions of EPEL and Fedora have 1.9.x or 1.8.x and are not affected.
Created moodle tracking bugs for this issue Affects: epel-6 [bug 730070] Affects: fedora-rawhide [bug 730071]
MSA-11-0021 was assigned CVE-2011-4295 MSA-11-0022 was assigned CVE-2011-4296
EPEL6 is currently at the fixed 2.1.2 version, as is rawhide. F16 has 2.0.5 and is not vulnerable.