From $URL : A security flaw was found in the way Moodle, a course management system (CMS), used (lib)cURL's CURLOPT_SSL_VERIFYHOST variable, when doing certificate validation (value of '1' meaning only check for the existence of a common name was used instead of value '2' - which also checks if the particular common name matches the requested hostname of the server). A rogue service could use this flaw to conduct man-in-the-middle (MiTM) attacks. References: [1] http://www.openwall.com/lists/oss-security/2013/01/02/1 [2] http://www.openwall.com/lists/oss-security/2013/01/03/1 [3] https://github.com/tpyo/amazon-s3-php-class/pull/36 Relevant upstream patch: [4] https://github.com/tmuras/amazon-s3-php-class/commit/07bb73fe2ad2c74e0d1af395a391ddb8d0fcaa7c [reply] [-] Comment 1
Please see bug #444788, its actually a php issue resulting from a change in the way curl does ssl in curl-7.28.1, and its fixed in the new php head. I've already purused it with php upstream. I'm not sure you need to change anything with moodle, but I could be wrong. I'll look at the moodle tracker to see if its a known issue.
CVE-2012-6087 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6087): repository/s3/S3.php in the Amazon S3 library in Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to an incorrect CURLOPT_SSL_VERIFYHOST value.
No vulnerable versions left in tree. Unstable package so no GLSA required. Closing.
