Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 450744 (CVE-2012-6087) - www-apps/moodle: Improper use of cURL API might lead to improper SSL certificate verification (MiTM) (CVE-2012-6087)
Summary: www-apps/moodle: Improper use of cURL API might lead to improper SSL certific...
Alias: CVE-2012-6087
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~3[noglsa]
Depends on:
Reported: 2013-01-07 19:21 UTC by Agostino Sarubbo
Modified: 2016-03-04 13:12 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-01-07 19:21:32 UTC
From $URL :

A security flaw was found in the way Moodle, a course management system (CMS), used (lib)cURL's 
CURLOPT_SSL_VERIFYHOST variable, when doing certificate validation (value of '1' meaning only check 
for the existence of a common name was used instead of value '2' - which also checks if the 
particular common name matches the requested hostname of the server). A rogue service could use 
this flaw to conduct man-in-the-middle (MiTM) attacks.


Relevant upstream patch:
[reply] [-] Comment 1
Comment 1 Anthony Basile gentoo-dev 2013-01-07 20:03:48 UTC
Please see bug #444788, its actually a php issue resulting from a change in the way curl does ssl in curl-7.28.1, and its fixed in the new php head.  I've already purused it with php upstream.  I'm not sure you need to change anything with moodle, but I could be wrong.  I'll look at the moodle tracker to see if its a known issue.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-09-17 22:31:30 UTC
CVE-2012-6087 (
  repository/s3/S3.php in the Amazon S3 library in Moodle through 2.2.11,
  2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 does not
  verify that the server hostname matches a domain name in the subject's
  Common Name (CN) or subjectAltName field of the X.509 certificate, which
  allows man-in-the-middle attackers to spoof SSL servers via an arbitrary
  valid certificate, related to an incorrect CURLOPT_SSL_VERIFYHOST value.
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-04 13:12:37 UTC
No vulnerable versions left in tree.  Unstable package so no GLSA required.  Closing.