Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2015-002 - A number of critical and less critical vulnerabilities affect <www-apps/drupal-{6.36,7.38}. Reproducible: Always The following vulnerabilities were notified today: 1. Impersonation (OpenID module - Drupal 6 and 7 - Critical) - CVE-2015-3234 2. Open redirect (Field UI module - Drupal 7 - Less critical) - CVE-2015-3232 3. Open redirect (Overlay module - Drupal 7 - Less critical) - CVE-2015-3233 4. Information disclosure (Render cache system - Drupal 7 - Less critical) - CVE-2015-3231 -- Regards, Mick
13:54 < gentoovcs> jmbsvicetto → gentoo-x86 (www-apps/drupal/) Bump drupal to releases 7.38 and 6.36 - fixes bug 552416. Security bump - CVE-2015-{3231,3232,3233,3234}. Add drupal-8.0.0_beta11 from my overlay. 13:54 < willikins> gentoovcs: https://bugs.gentoo.org/552416 "<www-apps/drupal-{6.36,7.38}: Multiple vulnerabilities (CVE-2015-{3231,3232,3233,3234})"; Gentoo Security, Vulnerabilities; IN_P; New releases added to the tree and affected versions dropped.
CVE-2015-3234 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3234): The OpenID module in Drupal 6.x before 6.36 and 7.x before 7.38 allows remote attackers to log into other users' accounts by leveraging an OpenID identity from certain providers, as demonstrated by the Verisign, LiveJournal, and StackExchange providers. CVE-2015-3233 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3233): Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.38 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. CVE-2015-3232 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3232): Open redirect vulnerability in the Field UI module in Drupal 7.x before 7.38 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destinations parameter.