Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 450744 (CVE-2012-6087) - www-apps/moodle: Improper use of cURL API might lead to improper SSL certificate verification (MiTM) (CVE-2012-6087)
Summary: www-apps/moodle: Improper use of cURL API might lead to improper SSL certific...
Status: RESOLVED FIXED
Alias: CVE-2012-6087
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: ~3[noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-01-07 19:21 UTC by Agostino Sarubbo
Modified: 2016-03-04 13:12 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-01-07 19:21:32 UTC
From $URL :

A security flaw was found in the way Moodle, a course management system (CMS), used (lib)cURL's 
CURLOPT_SSL_VERIFYHOST variable, when doing certificate validation (value of '1' meaning only check 
for the existence of a common name was used instead of value '2' - which also checks if the 
particular common name matches the requested hostname of the server). A rogue service could use 
this flaw to conduct man-in-the-middle (MiTM) attacks.

References:
[1] http://www.openwall.com/lists/oss-security/2013/01/02/1
[2] http://www.openwall.com/lists/oss-security/2013/01/03/1
[3] https://github.com/tpyo/amazon-s3-php-class/pull/36

Relevant upstream patch:
[4] https://github.com/tmuras/amazon-s3-php-class/commit/07bb73fe2ad2c74e0d1af395a391ddb8d0fcaa7c
[reply] [-] Comment 1
Comment 1 Anthony Basile gentoo-dev 2013-01-07 20:03:48 UTC
Please see bug #444788, its actually a php issue resulting from a change in the way curl does ssl in curl-7.28.1, and its fixed in the new php head.  I've already purused it with php upstream.  I'm not sure you need to change anything with moodle, but I could be wrong.  I'll look at the moodle tracker to see if its a known issue.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-09-17 22:31:30 UTC
CVE-2012-6087 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6087):
  repository/s3/S3.php in the Amazon S3 library in Moodle through 2.2.11,
  2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 does not
  verify that the server hostname matches a domain name in the subject's
  Common Name (CN) or subjectAltName field of the X.509 certificate, which
  allows man-in-the-middle attackers to spoof SSL servers via an arbitrary
  valid certificate, related to an incorrect CURLOPT_SSL_VERIFYHOST value.
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-04 13:12:37 UTC
No vulnerable versions left in tree.  Unstable package so no GLSA required.  Closing.