Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 612884 (CVE-2017-6377, CVE-2017-6379, CVE-2017-6381)

Summary: <www-apps/drupal-8.2.7: multiple vulnerabilities (CVE-2017-{6377,6379,6381})
Product: Gentoo Security Reporter: Thomas Deutschmann <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.drupal.org/SA-2017-001
Whiteboard: ~2 [noglsa]
Package list:
Runtime testing required: ---

Description Thomas Deutschmann gentoo-dev 2017-03-17 10:28:48 UTC
Incoming details.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2017-03-17 10:30:21 UTC
CVE-2017-6381 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6381):
  A 3rd party development library including with Drupal 8 development
  dependencies is vulnerable to remote code execution. This is mitigated by
  the default .htaccess protection against PHP execution, and the fact that
  Composer development dependencies aren't normal installed. You might be
  vulnerable to this if you are running a version of Drupal before 8.2.2. To
  be sure you aren't vulnerable, you can remove the <siteroot>/vendor/phpunit
  directory from your production deployments

CVE-2017-6379 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6379):
  Some administrative paths in Drupal 8.2.x before 8.2.7 did not include
  protection for CSRF. This would allow an attacker to disable some blocks on
  a site. This issue is mitigated by the fact that users would have to know
  the block ID.

CVE-2017-6377 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6377):
  When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the
  editor will not correctly check access for the file being attached,
  resulting in an access bypass.
Comment 2 Thomas Deutschmann gentoo-dev 2017-03-17 10:33:39 UTC
Already in repository. Repository is clean. All done.