Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 401989 (CVE-2012-0825) - <www-apps/drupal-7.12 : Security Issue and Security Bypass Vulnerability (CVE-2012-{0825,0826,0827})
Summary: <www-apps/drupal-7.12 : Security Issue and Security Bypass Vulnerability (CVE...
Status: RESOLVED FIXED
Alias: CVE-2012-0825
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://drupal.org/node/1425084
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-02-02 20:46 UTC by Agostino Sarubbo
Modified: 2013-12-12 17:38 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-02-02 20:46:10 UTC
From upstream advisory at $URL:



Cross Site Request Forgery vulnerability in Aggregator module

CVE: CVE-2012-0826
An XSRF vulnerability can force an aggregator feed to update. Since some services are rate-limited (e.g. Twitter limits requests to 150 per hour) this could lead to a denial of service.

This issue affects Drupal 6.x and 7.x.

OpenID not verifying signed attributes in SREG and AX

CVE: CVE-2012-0825
A group of security researchers identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX). Not verifying that attributes being passed through AX have been signed could allow an attacker to modify users' information.

This issue affects Drupal 6.x and 7.x.

Access bypass in File module

CVE: CVE-2012-0827
When using private files in combination with certain field access modules, the File module will allow users to download the file even if they do not have access to view the field it was attached to.

This issue affects Drupal 7.x only.

Versions affected
Drupal 6.x core prior to 6.23.
Drupal 7.x core prior to 7.11.


Solution:

If you use Drupal 6.x upgrade to 6.23
If you use Drupal 7.x upgrade to 7.11
Comment 1 Tim Harder gentoo-dev 2012-02-05 05:53:52 UTC
6.24 and 7.12 added to CVS.
Comment 2 Agostino Sarubbo gentoo-dev 2012-02-05 08:37:15 UTC
(In reply to comment #1)
> 6.24 and 7.12 added to CVS.

thanks, closing.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2013-12-12 17:38:21 UTC
CVE-2012-0825 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0825):
  Drupal 6.x before 6.23 and 7.x before 7.11 does not verify that Attribute
  Exchange (AX) information is signed, which allows remote attackers to modify
  potentially sensitive AX information without detection via a
  man-in-the-middle (MITM) attack.