A security flaw was found in the way Moodle course management system performed user permissions validation by course topic management. A remote attackers, with course editing capabilities, but without ability to show / hide topics or set the current topic for a particular course could use this flaw to successfully complete these actions under certain circumstances. Upstream patch: [1] http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-28207 References: [2] http://www.openwall.com/lists/oss-security/2012/09/17/1
This issue affects the version of the moodle package, as shipped with Fedora release of 17 (the upstream course/view.php patch part is applicable). -- This issue did NOT affect the version of the moodle package, as shipped with Fedora release of 16. This issue did NOT affect the versions of the moodle package, as shipped with Fedora EPEL 5 and 6.
Update in progress, not linked to any BZ, none assigned to me.
Created moodle tracking bugs for this issue Affects: fedora-17 [bug 857981]