An information disclosure flaw was found in the way Moodle, a course management system, honoured 'forceloginforprofiles' configuration option / settings (course profile information was available regardless of this option being enabled / applied). Remote attacker (logged in as Moodle guest) could use this flaw to obtain sensitive information. References: [1] http://www.openwall.com/lists/oss-security/2013/03/25/2 Relevant upstream patch: [2] http://git.moodle.org/gw?p=moodle.git;a=commit;h=3ecc63e9dbe29c6a5a8f65fa8e7980ba0fffb5a8
This issue affects the versions of the moodle package, as shipped with Fedora release of 18, 17, and Fedora EPEL-6. Please schedule an update. -- This issue (probably [*]) does not affect the version of the moodle package, as shipped with Fedora EPEL-5. [*] Saying probably, because based on comparing proposed upstream patch with relevant source code it is not possible (without further investigation) to determine, if the particular version is not affected.
Created moodle tracking bugs for this issue Affects: fedora-18 [bug 927264]
Created moodle tracking bugs for this issue Affects: fedora-17 [bug 927267]
Created moodle tracking bugs for this issue Affects: epel-6 [bug 927273]