A security flaw was found in the way Moodle, a course management system (CMS), used (lib)cURL's CURLOPT_SSL_VERIFYHOST variable, when doing certificate validation (value of '1' meaning only check for the existence of a common name was used instead of value '2' - which also checks if the particular common name matches the requested hostname of the server). A rogue service could use this flaw to conduct man-in-the-middle (MiTM) attacks. References: [1] http://www.openwall.com/lists/oss-security/2013/01/02/1 [2] http://www.openwall.com/lists/oss-security/2013/01/03/1 [3] https://github.com/tpyo/amazon-s3-php-class/pull/36 Relevant upstream patch: [4] https://github.com/tmuras/amazon-s3-php-class/commit/07bb73fe2ad2c74e0d1af395a391ddb8d0fcaa7c
This issue affects the versions of the moodle package, as shipped with Fedora release of 16 and 17. Please schedule an update. -- This issue affects the version of the moodle package, as shipped with Fedora EPEL 6. Please schedule an update. -- This issue did NOT affect the version of the moodle package, as shipped with Fedora EPEL 5 (it does not provide support for Amazon S3 module yet).
Created moodle tracking bugs for this issue Affects: fedora-all [bug 892701] Affects: epel-6 [bug 892702]
This appears to affect all rawhide and f18 as well, and the most recent 2.4.1, does it not?
(In reply to comment #3) Hi Jon, > This appears to affect all rawhide and f18 as well, and the most recent > 2.4.1, does it not? Yes, according to: http://git.moodle.org/gw?p=moodle.git;a=blob_plain;f=repository/s3/S3.php;hb=62b48ad7ada1e9b88c68ffcfa20d560e490b43cc this would affect most recent v.2.4.1 version too (thus rawhide and F18 too). (got there from http://git.moodle.org/gw?p=moodle.git;a=tree;h=3097afdeb5e55c4ee82e7fe00be78fc6006ee209;hb=62b48ad7ada1e9b88c68ffcfa20d560e490b43cc link).