| Name | CVE-2012-6087 |
| Description | repository/s3/S3.php in the Amazon S3 library in Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to an incorrect CURLOPT_SSL_VERIFYHOST value. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| moodle | source | squeeze | (not affected) | |||
| moodle | source | wheezy | 2.2.3.dfsg-2.6~wheezy1 | |||
| moodle | source | (unstable) | 2.2.7.dfsg-1 |
[squeeze] - moodle <not-affected> (Vulnerable code not present)
https://github.com/tpyo/amazon-s3-php-class/pull/36
https://tracker.moodle.org/browse/MDL-40615