A server path information disclosure flaw was found in the way Moodle, a course management system, issued certain exceptions (server system paths were provided in selected exception messages). A remote attacker (logged in as Moodle guest) could use this flaw to obtain sensitive information. References: [1] http://www.openwall.com/lists/oss-security/2013/03/25/2 Relevant upstream patch: [2] http://git.moodle.org/gw?p=moodle.git;a=commit;h=8d220cb552d9c55b98aef70e2f40ef560efeb79b
This issue affects the version of moodle package, as shipped with Fedora release of 18. Please schedule an update. -- This issue (probably [*]) affects the versions of the moodle package, as shipped with Fedora release of 17 and Fedora EPEL-6. [*] Probably because comparison of proposed upstream patch didn't conclude that patch would be applicable to those versions. But [1] advisory mentions also those versions as affected. -- This issue did NOT affect the version of the moodle package, as shipped with Fedora EPEL-5.
Created moodle tracking bugs for this issue Affects: fedora-18 [bug 927264]
Created moodle tracking bugs for this issue Affects: fedora-17 [bug 927267]
Created moodle tracking bugs for this issue Affects: epel-6 [bug 927273]