Summary: | <www-apps/drupal-{7.24,6.29} : multiple vulnerabilities (CVE-2013-{6385,6386,6387,6388,6389}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1032973 | ||
Whiteboard: | ~2 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2013-11-21 11:58:47 UTC
Please version bump drupal to 7.24 ASAP. drupal 7.24 version bump done. (In reply to Jorge Manuel B. S. Vicetto from comment #2) > drupal 7.24 version bump done. Guys, thank you for this. Are you also going to bump 6.28 to 6.29? There are many websites out there that are still running on drupal 6 (and so was drupal.org until a month ago). -- Regards, Mick (In reply to MickKi from comment #3) > > Are you also going to bump 6.28 to 6.29? There are many websites out there > that are still running on drupal 6 (and so was drupal.org until a month ago). > -- > Regards, > Mick Bump to 6.29 done. I don't have an install with drupal-6 to test, but given the diff to 6.28 was small and was only related to the bump and security fixing, I've committed it to the tree. Please test it and report back if you get any errors. Thank you for your work, and cleanup. Since there are no stable packages, No GLSA is required. CVE-2013-6389 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6389): Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.24 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. CVE-2013-6386 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6386): Drupal 6.x before 6.29 and 7.x before 7.24 uses the PHP mt_rand function to generate random numbers, which uses predictable seeds and allows remote attackers to predict security strings and bypass intended restrictions via a brute force attack. CVE-2013-6385 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6385): The form API in Drupal 6.x before 6.29 and 7.x before 7.24, when used with unspecified third-party modules, performs form validation even when CSRF validation has failed, which might allow remote attackers to trigger application-specific impacts such as arbitrary code execution via application-specific vectors. CVE-2013-6388 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6388): Cross-site scripting (XSS) vulnerability in the Color module in Drupal 7.x before 7.24 allows remote attackers to inject arbitrary web script or HTML via vectors related to CSS. CVE-2013-6387 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6387): Cross-site scripting (XSS) vulnerability in the Image module in Drupal 7.x before 7.24 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the description field. |