Two flaws were reported , in moodle versions < 2.0.4 and < 2.1.1 (1.9.x is not affected):
moodle_enrol_external:role_assign() does not obey role assignment restrictions (MSA-11-0021)
The course creator role has incorrect default permissions (MSA-11-0022)
Recommend upgrading EPEL6 and Fedora 16/rawhide to 2.0.4. Earlier versions of EPEL and Fedora have 1.9.x or 1.8.x and are not affected.
Created moodle tracking bugs for this issue
Affects: epel-6 [bug 730070]
Affects: fedora-rawhide [bug 730071]
MSA-11-0021 was assigned CVE-2011-4295
MSA-11-0022 was assigned CVE-2011-4296
EPEL6 is currently at the fixed 2.1.2 version, as is rawhide. F16 has 2.0.5 and is not vulnerable.