| Summary: | <www-apps/drupal-{7.70, 8.7.14, 8.8.6}: Multiple vulnerabilities | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Tupone Alfredo <tupone> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | CC: | web-apps |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://www.drupal.org/project/drupal/releases/7.70 | ||
| Whiteboard: | ~4 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Tupone Alfredo
2020-05-21 19:59:00 UTC
Thanks for letting us know about this.
* SA-CORE-2020-2
Description:
"The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are
[...] security issues in jQuery’s DOM manipulation methods, as in .html(), .append(), and the others. Security advisories for both of these issues have been published on GitHub."
URL: https://www.drupal.org/sa-core-2020-002
* SA-CORE-2020-3
Description:
"Drupal 7 has an Open Redirect vulnerability. For example, a user could be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL.
The vulnerability is caused by insufficient validation of the destination query parameter in the drupal_goto() function."
URL: https://www.drupal.org/sa-core-2020-003
@maintainer(s), please bump to 7.70, 8.7.14, and 8.8.6. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3609c25e2e5c6aa5f3647d0b394d5b4b4b76ddb1 commit 3609c25e2e5c6aa5f3647d0b394d5b4b4b76ddb1 Author: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> AuthorDate: 2020-05-22 00:57:15 +0000 Commit: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> CommitDate: 2020-05-22 00:57:15 +0000 www-apps/drupal: Security bumps (8.8.6, 8.7.14 and 7.70). 8.8.6 and 8.7.14 releases include SA-CORE-2020-002. 7.70 release includes SA-CORE-2020-002 and SA-CORE-2020-003. Bug: https://bugs.gentoo.org/724498 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> www-apps/drupal/Manifest | 3 ++ www-apps/drupal/drupal-7.70.ebuild | 58 ++++++++++++++++++++++++++++++ www-apps/drupal/drupal-8.7.14.ebuild | 68 ++++++++++++++++++++++++++++++++++++ www-apps/drupal/drupal-8.8.6.ebuild | 68 ++++++++++++++++++++++++++++++++++++ 4 files changed, 197 insertions(+) I had started working on this, but took a bit longer than expected to push to the tree [1]. [1] - https://gitweb.gentoo.org/dev/jmbsvicetto.git/commit/?id=d5126d536ae1b22673e0aee27a28dc45226d631f The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c5f67f0520c54f46cff1452953aab2d711cc680c commit c5f67f0520c54f46cff1452953aab2d711cc680c Author: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> AuthorDate: 2020-05-22 00:59:56 +0000 Commit: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> CommitDate: 2020-05-22 00:59:56 +0000 www-apps/drupal: Drop old and vulnerable releases. Bug: https://bugs.gentoo.org/724498 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> www-apps/drupal/Manifest | 5 --- www-apps/drupal/drupal-7.69.ebuild | 58 ------------------------------ www-apps/drupal/drupal-8.7.12.ebuild | 68 ------------------------------------ www-apps/drupal/drupal-8.7.13.ebuild | 68 ------------------------------------ www-apps/drupal/drupal-8.8.4.ebuild | 68 ------------------------------------ www-apps/drupal/drupal-8.8.5.ebuild | 68 ------------------------------------ 6 files changed, 335 deletions(-) Closing because tree clean, no stable ebuilds. Thank you! :) |
