Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 616044 (CVE-2017-6919, SA-CORE-2017-002)

Summary: <www-apps/drupal-{8.2.8,8.3.1}: Access Bypass (SA-CORE-2017-002)
Product: Gentoo Security Reporter: Jorge Manuel B. S. Vicetto <jmbsvicetto>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.drupal.org/SA-CORE-2017-002
Whiteboard: ~1 [noglsa cve]
Package list:
Runtime testing required: ---

Description Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2017-04-19 19:50:23 UTC
A critical access bypass was reported for drupal versions <8.2.8 and <8.3.1, as per drupal advisory: DRUPAL-SA-CORE-2017-002. Drupal 7 is *not* affected.

From the advisory:
This is a critical access bypass vulnerability. A site is only affected by this if all of the following conditions are met:

    The site has the RESTful Web Services (rest) module enabled.
    The site allows PATCH requests.
    An attacker can get or register a user account on the site.

Fixed versions are already in the tree and the affected versions were dropped.
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=86d31afe3bd4ba200886e7791071bc7d63099741
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-04-19 19:59:21 UTC
Repository is clean, no stable package was affected. All done!

Maintainer(s), thank you for your work.