Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 835524 (CVE-2022-24728, CVE-2022-24729, SA-CORE-2022-005) - <www-apps/drupal-9.2.18: multiple vulnerabilities
Summary: <www-apps/drupal-9.2.18: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2022-24728, CVE-2022-24729, SA-CORE-2022-005
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL: https://www.drupal.org/sa-core-2022-005
Whiteboard: ~3 [noglsa]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2022-03-18 01:49 UTC by John Helmert III
Modified: 2023-11-28 19:20 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-18 01:49:31 UTC 
CVE-2022-24728 (https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89):

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.

CVE-2022-24729 (https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hh):

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.

Maintainers, are we vulnerable to these?
Comment 1 Tupone Alfredo gentoo-dev 2022-05-04 09:39:11 UTC 
commit 7ddc64889b1bc2a991391d2a53f627d8c6bb2303
Author: Alfredo Tupone <tupone@gentoo.org>
Date:   Tue May 3 09:28:20 2022 +0200

    www-apps/drupal: bump version
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-04 15:34:10 UTC 
Still not sure if we are or were ever actually affected by this?
Comment 3 Viorel Munteanu gentoo-dev 2023-03-11 07:30:57 UTC 
I think we are.  Anything 9.1.x is affected and we still have 9.1.15 in tree.
Comment 4 Larry the Git Cow gentoo-dev 2023-03-11 11:05:31 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=48b5eb917955c7dbad99bdba04f4d988d66e1813

commit 48b5eb917955c7dbad99bdba04f4d988d66e1813
Author:     Viorel Munteanu <ceamac@gentoo.org>
AuthorDate: 2023-03-11 07:16:35 +0000
Commit:     Viorel Munteanu <ceamac@gentoo.org>
CommitDate: 2023-03-11 11:03:41 +0000

    www-apps/drupal: drop 9.1.15
    
    drupal 9.1 reached end of life and no longer receives security updates.
    
    Bug: https://bugs.gentoo.org/831818
    Bug: https://bugs.gentoo.org/835524
    Bug: https://bugs.gentoo.org/873361
    Signed-off-by: Viorel Munteanu <ceamac@gentoo.org>

 www-apps/drupal/Manifest             |  1 -
 www-apps/drupal/drupal-9.1.15.ebuild | 68 ------------------------------------
 2 files changed, 69 deletions(-)