Drupal core - Critical - Cross Site Request Forgery - SA-CORE-2020-004 Reproducible: Always
@maintainer(s), please bump. "The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities. Solution: If you are using Drupal 7.x, upgrade to Drupal 7.72. If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8. If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1. If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1. Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.8."
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/dev/jmbsvicetto.git/commit/?id=b395bfb389c5dfd4f9b7e08490a94b01ce88276e commit b395bfb389c5dfd4f9b7e08490a94b01ce88276e Author: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> AuthorDate: 2020-06-22 00:21:44 +0000 Commit: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> CommitDate: 2020-06-22 00:21:44 +0000 www-apps/drupal: Security bump - bug 728660. Bug: https://bugs.gentoo.org/728660 Security bump to releases 7.72, 8.8.8, 8.9.1 and 9.0.1. CSRF - CVE-2020-13663 / SA-CORE-2020-004 Arbirtrary PHP code execution - SA-CORE-2020-005 Access bypass - SA-CORE-2020-006 Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> www-apps/drupal/Manifest | 4 +++ www-apps/drupal/drupal-7.72.ebuild | 58 +++++++++++++++++++++++++++++++ www-apps/drupal/drupal-8.8.8.ebuild | 68 +++++++++++++++++++++++++++++++++++++ www-apps/drupal/drupal-8.9.1.ebuild | 68 +++++++++++++++++++++++++++++++++++++ www-apps/drupal/drupal-9.0.1.ebuild | 68 +++++++++++++++++++++++++++++++++++++ 5 files changed, 266 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a7842faed25c8a7f3859fec7224c3d6fab10d2cb commit a7842faed25c8a7f3859fec7224c3d6fab10d2cb Author: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> AuthorDate: 2020-06-22 00:34:54 +0000 Commit: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> CommitDate: 2020-06-22 00:34:54 +0000 www-apps/drupal: Security bump - bug 728660. Bug: https://bugs.gentoo.org/728660 Security bump to releases 7.72, 8.8.8, 8.9.1 and 9.0.1. CSRF - CVE-2020-13663 / SA-CORE-2020-004 Arbirtrary PHP code execution - SA-CORE-2020-005 Access bypass - SA-CORE-2020-006 Drop insecure and unsupported releases. Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> www-apps/drupal/Manifest | 9 ++- .../{drupal-7.71.ebuild => drupal-7.72.ebuild} | 0 .../{drupal-8.7.14.ebuild => drupal-8.8.8.ebuild} | 0 .../{drupal-8.8.7.ebuild => drupal-8.9.1.ebuild} | 0 www-apps/drupal/drupal-9.0.0.ebuild | 68 ---------------------- .../{drupal-8.9.0.ebuild => drupal-9.0.1.ebuild} | 0 6 files changed, 4 insertions(+), 73 deletions(-)
* CVE-2020-13664 (CVE-2020-13664) "Drupal 8 and 9 have a remote code execution vulnerability under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability. Windows servers are most likely to be affected." ---- Thanks Jorge! All done. :)