Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 728660 (CVE-2020-13663, CVE-2020-13664, SA-CORE-2020-004, SA-CORE-2020-005) - <www-apps/drupal-{7.72, 8.8.8, 9.0.1}: Multiple vulnerabilities (CVE-2020-{1366313664,})
Summary: <www-apps/drupal-{7.72, 8.8.8, 9.0.1}: Multiple vulnerabilities (CVE-2020-{13...
Status: RESOLVED FIXED
Alias: CVE-2020-13663, CVE-2020-13664, SA-CORE-2020-004, SA-CORE-2020-005
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://www.drupal.org/sa-core-2020-004
Whiteboard: ~2 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-06-18 13:18 UTC by Tupone Alfredo
Modified: 2020-06-22 00:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tupone Alfredo gentoo-dev 2020-06-18 13:18:02 UTC
Drupal core - Critical - Cross Site Request Forgery - SA-CORE-2020-004

Reproducible: Always
Comment 1 Sam James archtester gentoo-dev Security 2020-06-21 00:39:51 UTC
@maintainer(s), please bump.

"The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.
Solution: 

    If you are using Drupal 7.x, upgrade to Drupal 7.72.
    If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8.
    If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1.
    If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1.

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.8."
Comment 2 Larry the Git Cow gentoo-dev 2020-06-22 00:25:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/dev/jmbsvicetto.git/commit/?id=b395bfb389c5dfd4f9b7e08490a94b01ce88276e

commit b395bfb389c5dfd4f9b7e08490a94b01ce88276e
Author:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
AuthorDate: 2020-06-22 00:21:44 +0000
Commit:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
CommitDate: 2020-06-22 00:21:44 +0000

    www-apps/drupal: Security bump - bug 728660.
    
    Bug: https://bugs.gentoo.org/728660
    Security bump to releases 7.72, 8.8.8, 8.9.1 and 9.0.1.
    CSRF - CVE-2020-13663 / SA-CORE-2020-004
    Arbirtrary PHP code execution - SA-CORE-2020-005
    Access bypass - SA-CORE-2020-006
    
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 www-apps/drupal/Manifest            |  4 +++
 www-apps/drupal/drupal-7.72.ebuild  | 58 +++++++++++++++++++++++++++++++
 www-apps/drupal/drupal-8.8.8.ebuild | 68 +++++++++++++++++++++++++++++++++++++
 www-apps/drupal/drupal-8.9.1.ebuild | 68 +++++++++++++++++++++++++++++++++++++
 www-apps/drupal/drupal-9.0.1.ebuild | 68 +++++++++++++++++++++++++++++++++++++
 5 files changed, 266 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2020-06-22 00:36:08 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a7842faed25c8a7f3859fec7224c3d6fab10d2cb

commit a7842faed25c8a7f3859fec7224c3d6fab10d2cb
Author:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
AuthorDate: 2020-06-22 00:34:54 +0000
Commit:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
CommitDate: 2020-06-22 00:34:54 +0000

    www-apps/drupal: Security bump - bug 728660.
    
    Bug: https://bugs.gentoo.org/728660
    Security bump to releases 7.72, 8.8.8, 8.9.1 and 9.0.1.
    CSRF - CVE-2020-13663 / SA-CORE-2020-004
    Arbirtrary PHP code execution - SA-CORE-2020-005
    Access bypass - SA-CORE-2020-006
    Drop insecure and unsupported releases.
    
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 www-apps/drupal/Manifest                           |  9 ++-
 .../{drupal-7.71.ebuild => drupal-7.72.ebuild}     |  0
 .../{drupal-8.7.14.ebuild => drupal-8.8.8.ebuild}  |  0
 .../{drupal-8.8.7.ebuild => drupal-8.9.1.ebuild}   |  0
 www-apps/drupal/drupal-9.0.0.ebuild                | 68 ----------------------
 .../{drupal-8.9.0.ebuild => drupal-9.0.1.ebuild}   |  0
 6 files changed, 4 insertions(+), 73 deletions(-)
Comment 4 Sam James archtester gentoo-dev Security 2020-06-22 00:39:31 UTC
* CVE-2020-13664 (CVE-2020-13664)

"Drupal 8 and 9 have a remote code execution vulnerability under certain circumstances.

An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability.

Windows servers are most likely to be affected."

----
Thanks Jorge! All done. :)