Bug 728660 (CVE-2020-13663, CVE-2020-13664, SA-CORE-2020-004, SA-CORE-2020-005)

Comment 1 Sam James 2020-06-21 00:39:51 UTC

@maintainer(s), please bump.

"The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.
Solution: 

    If you are using Drupal 7.x, upgrade to Drupal 7.72.
    If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8.
    If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1.
    If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1.

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.8."

Comment 2 Larry the Git Cow 2020-06-22 00:25:46 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/dev/jmbsvicetto.git/commit/?id=b395bfb389c5dfd4f9b7e08490a94b01ce88276e

commit b395bfb389c5dfd4f9b7e08490a94b01ce88276e
Author:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
AuthorDate: 2020-06-22 00:21:44 +0000
Commit:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
CommitDate: 2020-06-22 00:21:44 +0000

    www-apps/drupal: Security bump - bug 728660.
    
    Bug: https://bugs.gentoo.org/728660
    Security bump to releases 7.72, 8.8.8, 8.9.1 and 9.0.1.
    CSRF - CVE-2020-13663 / SA-CORE-2020-004
    Arbirtrary PHP code execution - SA-CORE-2020-005
    Access bypass - SA-CORE-2020-006
    
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 www-apps/drupal/Manifest            |  4 +++
 www-apps/drupal/drupal-7.72.ebuild  | 58 +++++++++++++++++++++++++++++++
 www-apps/drupal/drupal-8.8.8.ebuild | 68 +++++++++++++++++++++++++++++++++++++
 www-apps/drupal/drupal-8.9.1.ebuild | 68 +++++++++++++++++++++++++++++++++++++
 www-apps/drupal/drupal-9.0.1.ebuild | 68 +++++++++++++++++++++++++++++++++++++
 5 files changed, 266 insertions(+)

Comment 3 Larry the Git Cow 2020-06-22 00:36:08 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a7842faed25c8a7f3859fec7224c3d6fab10d2cb

commit a7842faed25c8a7f3859fec7224c3d6fab10d2cb
Author:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
AuthorDate: 2020-06-22 00:34:54 +0000
Commit:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
CommitDate: 2020-06-22 00:34:54 +0000

    www-apps/drupal: Security bump - bug 728660.
    
    Bug: https://bugs.gentoo.org/728660
    Security bump to releases 7.72, 8.8.8, 8.9.1 and 9.0.1.
    CSRF - CVE-2020-13663 / SA-CORE-2020-004
    Arbirtrary PHP code execution - SA-CORE-2020-005
    Access bypass - SA-CORE-2020-006
    Drop insecure and unsupported releases.
    
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 www-apps/drupal/Manifest                           |  9 ++-
 .../{drupal-7.71.ebuild => drupal-7.72.ebuild}     |  0
 .../{drupal-8.7.14.ebuild => drupal-8.8.8.ebuild}  |  0
 .../{drupal-8.8.7.ebuild => drupal-8.9.1.ebuild}   |  0
 www-apps/drupal/drupal-9.0.0.ebuild                | 68 ----------------------
 .../{drupal-8.9.0.ebuild => drupal-9.0.1.ebuild}   |  0
 6 files changed, 4 insertions(+), 73 deletions(-)

Comment 4 Sam James 2020-06-22 00:39:31 UTC

* CVE-2020-13664 (CVE-2020-13664)

"Drupal 8 and 9 have a remote code execution vulnerability under certain circumstances.

An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability.

Windows servers are most likely to be affected."

----
Thanks Jorge! All done. :)