From $URL :
A security flaw was found in the way Moodle, a course management system (CMS), used (lib)cURL's
CURLOPT_SSL_VERIFYHOST variable, when doing certificate validation (value of '1' meaning only check
for the existence of a common name was used instead of value '2' - which also checks if the
particular common name matches the requested hostname of the server). A rogue service could use
this flaw to conduct man-in-the-middle (MiTM) attacks.
Relevant upstream patch:
[reply] [-] Comment 1
Please see bug #444788, its actually a php issue resulting from a change in the way curl does ssl in curl-7.28.1, and its fixed in the new php head. I've already purused it with php upstream. I'm not sure you need to change anything with moodle, but I could be wrong. I'll look at the moodle tracker to see if its a known issue.
repository/s3/S3.php in the Amazon S3 library in Moodle through 2.2.11,
2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 does not
verify that the server hostname matches a domain name in the subject's
Common Name (CN) or subjectAltName field of the X.509 certificate, which
allows man-in-the-middle attackers to spoof SSL servers via an arbitrary
valid certificate, related to an incorrect CURLOPT_SSL_VERIFYHOST value.
No vulnerable versions left in tree. Unstable package so no GLSA required. Closing.