Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 552416 - <www-apps/drupal-{6.36,7.38}: Multiple vulnerabilities (CVE-2015-{3231,3232,3233,3234})
Summary: <www-apps/drupal-{6.36,7.38}: Multiple vulnerabilities (CVE-2015-{3231,3232,3...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://www.drupal.org/SA-CORE-2015-002
Whiteboard: ~3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-17 21:01 UTC by MickKi
Modified: 2015-07-05 21:41 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description MickKi 2015-06-17 21:01:13 UTC
Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2015-002 - A number of critical and less critical vulnerabilities affect <www-apps/drupal-{6.36,7.38}.

Reproducible: Always




The following vulnerabilities were notified today:

1. Impersonation (OpenID module - Drupal 6 and 7 - Critical) - CVE-2015-3234

2. Open redirect (Field UI module - Drupal 7 - Less critical) - CVE-2015-3232

3. Open redirect (Overlay module - Drupal 7 - Less critical) - CVE-2015-3233

4. Information disclosure (Render cache system - Drupal 7 - Less critical) - CVE-2015-3231

-- 
Regards,
Mick
Comment 1 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2015-06-18 20:47:01 UTC
13:54 < gentoovcs> jmbsvicetto → gentoo-x86 (www-apps/drupal/) Bump drupal to releases 7.38 and 6.36 - fixes bug 552416. Security bump - CVE-2015-{3231,3232,3233,3234}. Add drupal-8.0.0_beta11 from my overlay.
13:54 < willikins> gentoovcs: https://bugs.gentoo.org/552416 "<www-apps/drupal-{6.36,7.38}: Multiple vulnerabilities (CVE-2015-{3231,3232,3233,3234})"; Gentoo Security, Vulnerabilities; IN_P;

New releases added to the tree and affected versions dropped.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2015-07-05 21:41:13 UTC
CVE-2015-3234 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3234):
  The OpenID module in Drupal 6.x before 6.36 and 7.x before 7.38 allows
  remote attackers to log into other users' accounts by leveraging an OpenID
  identity from certain providers, as demonstrated by the Verisign,
  LiveJournal, and StackExchange providers.

CVE-2015-3233 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3233):
  Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.38
  allows remote attackers to redirect users to arbitrary web sites and conduct
  phishing attacks via unspecified vectors.

CVE-2015-3232 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3232):
  Open redirect vulnerability in the Field UI module in Drupal 7.x before 7.38
  allows remote attackers to redirect users to arbitrary web sites and conduct
  phishing attacks via a URL in the destinations parameter.