| Summary: | <www-apps/drupal-{7.24,6.29} : multiple vulnerabilities (CVE-2013-{6385,6386,6387,6388,6389}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | CC: | web-apps |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1032973 | ||
| Whiteboard: | ~2 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
Please version bump drupal to 7.24 ASAP. drupal 7.24 version bump done. (In reply to Jorge Manuel B. S. Vicetto from comment #2) > drupal 7.24 version bump done. Guys, thank you for this. Are you also going to bump 6.28 to 6.29? There are many websites out there that are still running on drupal 6 (and so was drupal.org until a month ago). -- Regards, Mick (In reply to MickKi from comment #3) > > Are you also going to bump 6.28 to 6.29? There are many websites out there > that are still running on drupal 6 (and so was drupal.org until a month ago). > -- > Regards, > Mick Bump to 6.29 done. I don't have an install with drupal-6 to test, but given the diff to 6.28 was small and was only related to the bump and security fixing, I've committed it to the tree. Please test it and report back if you get any errors. Thank you for your work, and cleanup. Since there are no stable packages, No GLSA is required. CVE-2013-6389 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6389): Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.24 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. CVE-2013-6386 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6386): Drupal 6.x before 6.29 and 7.x before 7.24 uses the PHP mt_rand function to generate random numbers, which uses predictable seeds and allows remote attackers to predict security strings and bypass intended restrictions via a brute force attack. CVE-2013-6385 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6385): The form API in Drupal 6.x before 6.29 and 7.x before 7.24, when used with unspecified third-party modules, performs form validation even when CSRF validation has failed, which might allow remote attackers to trigger application-specific impacts such as arbitrary code execution via application-specific vectors. CVE-2013-6388 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6388): Cross-site scripting (XSS) vulnerability in the Color module in Drupal 7.x before 7.24 allows remote attackers to inject arbitrary web script or HTML via vectors related to CSS. CVE-2013-6387 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6387): Cross-site scripting (XSS) vulnerability in the Image module in Drupal 7.x before 7.24 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the description field. |
From ${URL} : Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7. * Multiple vulnerabilities due to optimistic cross-site request forgery protection (Form API validation - Drupal 6 and 7) Drupal's form API has built-in cross-site request forgery (CSRF) validation, and also allows any module to perform its own validation on the form. In certain common cases, form validation functions may execute unsafe operations. Given that the CSRF protection is an especially important validation, the Drupal core form API has been changed in this release so that it now skips subsequent validation if the CSRF validation fails. This vulnerability is mitigated by the fact that a form validation callback with potentially unsafe side effects must be active on the site, and none exist in core. However, issues were discovered in several popular contributed modules which allowed remote code execution that made it worthwhile to fix this issue in core. Other similar issues with varying impacts are likely to have existed in other contributed modules and custom modules and therefore will also be fixed by this Drupal core release. * Multiple vulnerabilities due to weakness in pseudorandom number generation using mt_rand() (Form API, OpenID and random password generation - Drupal 6 and 7) Drupal core directly used the mt_rand() pseudorandom number generator for generating security related strings used in several core modules. It was found that brute force tools could determine the seeds making these strings predictable under certain circumstances. This vulnerability has no mitigation; all Drupal sites are affected until the security update has been applied. * Code execution prevention (Files directory .htaccess for Apache - Drupal 6 and 7) Drupal core attempts to add a "defense in depth" protection to prevent script execution by placing a .htaccess file into the files directories that stops execution of PHP scripts on the Apache web server. This protection is only necessary if there is a vulnerability on the site or on a server that allows users to upload malicious files. The configuration in the .htaccess file did not prevent code execution on certain Apache web server configurations. This release includes new configuration to prevent PHP execution on several additional common Apache configurations. If you are upgrading a site and the site is run by Apache you must fix the file manually, as described in the "Solution" section below. This vulnerability is mitigated by the fact it only relates to a defense in depth mechanism, and sites would only be vulnerable if they are hosted on a server which contains code that does not use protections similar to those found in Drupal's file API to manage uploads in a safe manner. * Access bypass (Security token validation - Drupal 6 and 7) The function drupal_valid_token() can return TRUE for invalid tokens if the caller does not make sure that the token is a string. This vulnerability is mitigated by the fact that a contributed or custom module must invoke drupal_validate_token() with an argument that can be manipulated to not be a string by an attacker. There is currently no known core or contributed module that would suffer from this vulnerability. * Cross-site scripting (Image module - Drupal 7) Image field descriptions are not properly sanitized before they are printed to HTML, thereby exposing a cross-site scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a permission to administer field descriptions, for example the "administer taxonomy" permission to edit fields on taxonomy terms. * Cross-site scripting (Color module - Drupal 7) A cross-site scripting vulnerability was found in the Color module. A malicious attacker could trick an authenticated administrative user intovisiting a page containing specific JavaScript that could lead to a reflected cross-site scripting attack via JavaScript execution in CSS. This vulnerability is mitigated by the fact that it can only take place in older browsers, and in a restricted set of modern browsers, namely Opera through user interaction, and Internet Explorer under certain conditions. * Open redirect (Overlay module - Drupal 7) The Overlay module displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module did not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability. This vulnerability is mitigated by the fact that it can only be used against site users who have the "Access the administrative overlay" permission. References: http://seclists.org/fulldisclosure/2013/Nov/160 @maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. Please remove the affected versions from the tree.