Summary: | www-apps/moodle: Improper use of cURL API might lead to improper SSL certificate verification (MiTM) (CVE-2012-6087) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | blueness, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=892700 | ||
Whiteboard: | ~3[noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2013-01-07 19:21:32 UTC
Please see bug #444788, its actually a php issue resulting from a change in the way curl does ssl in curl-7.28.1, and its fixed in the new php head. I've already purused it with php upstream. I'm not sure you need to change anything with moodle, but I could be wrong. I'll look at the moodle tracker to see if its a known issue. CVE-2012-6087 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6087): repository/s3/S3.php in the Amazon S3 library in Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to an incorrect CURLOPT_SSL_VERIFYHOST value. No vulnerable versions left in tree. Unstable package so no GLSA required. Closing. |