Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 600124 (CVE-2016-9449, CVE-2016-9450, CVE-2016-9451, CVE-2016-9452, DRUPAL-SA-CORE-2016-005) - <www-apps/drupal-{7.52,8.2.3}: Multiple Vulnerabilities (DRUPAL-SA-CORE-2016-005)
Summary: <www-apps/drupal-{7.52,8.2.3}: Multiple Vulnerabilities (DRUPAL-SA-CORE-2016-...
Alias: CVE-2016-9449, CVE-2016-9450, CVE-2016-9451, CVE-2016-9452, DRUPAL-SA-CORE-2016-005
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
Whiteboard: ~2 [noglsa]
Depends on:
Reported: 2016-11-17 20:13 UTC by MickKi
Modified: 2017-01-06 09:30 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description MickKi 2016-11-17 20:13:49 UTC
Multiple security vulnerabilities for drupal versions <7.52 and <8.2.3, as per drupal advisory: DRUPAL-SA-CORE-2016-005.

Reproducible: Always

Expected Results:  
Please bring <www-apps/drupal-{7.52,8.2.3} in the tree.

Vulnerabilities listed in are:

1. Inconsistent name for term access query (Less critical - Drupal 7 and Drupal 8)
2. Incorrect cache context on password reset page (Less critical - Drupal 8)
3. Confirmation forms allow external URLs to be injected (Moderately critical - Drupal 7)
4. Denial of service via transliterate mechanism (Moderately critical - Drupal 8)
Comment 1 Jorge Manuel B. S. Vicetto (RETIRED) gentoo-dev 2016-11-18 04:13:34 UTC
04:07 < gentoovcs> jmbsvicetto → repo/gentoo (www-apps/drupal/) Add 8.2.3 and 7.52 releases - (DRUPAL-SA-CORE-2016-005) bug 600124.
04:07 < gentoovcs> jmbsvicetto → repo/gentoo (www-apps/drupal/) Drop old and vulnerable versions.
Comment 2 Jorge Manuel B. S. Vicetto (RETIRED) gentoo-dev 2016-11-18 11:26:45 UTC
11:20 < gentoovcs> jmbsvicetto → repo/gentoo (www-apps/drupal/) www-apps/drupal: Drop 8.1.10 as it's vulnerable to DRUPAL-SA-CORE-2016-005 - bug 600124. Mask 6.38 as it's no longer supported and will be removed at the end of the year.

This drops or masks the remaining versions, so there's no more clean-up to be done.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-11-18 12:01:54 UTC
Dropped by maintainer:

Drupal 6 will stay package.masked in tree until the end of the year with appropriate security warning.
Comment 4 MickKi 2016-11-18 18:44:20 UTC
(In reply to Jorge Manuel B. S. Vicetto from comment #2)

> This drops or masks the remaining versions, so there's no more clean-up to
> be done.

I may misunderstand what you've written, so just to confirm:

Both Drupal 8.2.3 and Drupal 7.52 are not vulnerable and continue to be supported by the project, so both should stay on the tree.  Meanwhile, Drupal 6 has been announced EoL since 24 February 2016 and is of course unsupported.  It may be better if drupal was slotted as the architectural differences between different major versions are significant and migration between them is not a trivial exercise.

Comment 5 Jorge Manuel B. S. Vicetto (RETIRED) gentoo-dev 2016-11-20 16:19:25 UTC
(In reply to MickKi from comment #4)
> (In reply to Jorge Manuel B. S. Vicetto from comment #2)
> > This drops or masks the remaining versions, so there's no more clean-up to
> > be done.
> I may misunderstand what you've written, so just to confirm:
> Both Drupal 8.2.3 and Drupal 7.52 are not vulnerable and continue to be
> supported by the project, so both should stay on the tree.  Meanwhile,
> Drupal 6 has been announced EoL since 24 February 2016 and is of course
> unsupported.  It may be better if drupal was slotted as the architectural
> differences between different major versions are significant and migration
> between them is not a trivial exercise.

So I dropped the vulnerable 8.1.10 version and masked the 6.38 release.

> HTH.
> -- 
> Regards,
> Mick
Comment 6 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-01-06 09:30:32 UTC
commit fc20a1ad964731a5394196d52c464f4d60b77607
Author:     Michał Górny <>
AuthorDate: Fri Jan 6 10:24:12 2017
Commit:     Michał Górny <>
CommitDate: Fri Jan 6 10:29:32 2017

    www-apps/drupal: Clean 6.38 up (masked for removal), #600124