Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 757252 - <www-apps/drupal-{7.77,8.8.12,8.9.12,9.0.10}: Remote code execution via malicious tarball upload (CVE-2020-{28948,28949})
Summary: <www-apps/drupal-{7.77,8.8.12,8.9.12,9.0.10}: Remote code execution via malic...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://www.drupal.org/sa-core-2020-013
Whiteboard: ~1 [noglsa]
Keywords:
Depends on:
Blocks: CVE-2020-28948, CVE-2020-28949
  Show dependency tree
 
Reported: 2020-11-27 17:12 UTC by John Helmert III
Modified: 2021-01-11 21:28 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2020-11-27 17:12:12 UTC
See blocker and vendor advisory at $URL for details, fixed versions are 9.0.9, 8.9.10, 8.8.12, and 7.75. Please bump, thanks!
Comment 1 Sam James archtester gentoo-dev Security 2020-12-16 07:07:47 UTC
ping!
Comment 2 John Helmert III gentoo-dev Security 2021-01-06 08:59:03 UTC
Ping
Comment 3 Sam James archtester gentoo-dev Security 2021-01-10 16:38:58 UTC
ping!
Comment 4 Larry the Git Cow gentoo-dev 2021-01-11 17:51:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/dev/jmbsvicetto.git/commit/?id=8a9daaf9c614939057ec987e146babc5e6501c50

commit 8a9daaf9c614939057ec987e146babc5e6501c50
Author:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
AuthorDate: 2021-01-11 17:47:16 +0000
Commit:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
CommitDate: 2021-01-11 17:47:16 +0000

    www-apps/drupal: Security bump CVE-2020-{28948,28949}
    
    Update to the latest releases to address the security issue and get up to date releases.
    Add 7.77, 8.8.12, 8.9.12, 9.0.01 and 9.1.2 releases.
    Bug: https://bugs.gentoo.org/757252
    
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 www-apps/drupal/Manifest             |  5 +++
 www-apps/drupal/drupal-7.77.ebuild   | 58 ++++++++++++++++++++++++++++++
 www-apps/drupal/drupal-8.8.12.ebuild | 68 ++++++++++++++++++++++++++++++++++++
 www-apps/drupal/drupal-8.9.12.ebuild | 68 ++++++++++++++++++++++++++++++++++++
 www-apps/drupal/drupal-9.0.10.ebuild | 68 ++++++++++++++++++++++++++++++++++++
 www-apps/drupal/drupal-9.1.2.ebuild  | 68 ++++++++++++++++++++++++++++++++++++
 6 files changed, 335 insertions(+)
Comment 5 Larry the Git Cow gentoo-dev 2021-01-11 21:07:04 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e392d33c2816799e327eadd14d01b1700b5fadb3

commit e392d33c2816799e327eadd14d01b1700b5fadb3
Author:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
AuthorDate: 2021-01-11 21:04:22 +0000
Commit:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
CommitDate: 2021-01-11 21:05:52 +0000

    www-apps/drupal: Security bump CVE-2020-{28948,28949}
    
    Update to the latest releases to address the security issue and get up to date releases.
    Add 7.77, 8.8.12, 8.9.12, 9.0.01 and 9.1.2 releases.
    Drop vulnerable releases.
    Bug: https://bugs.gentoo.org/757252
    
    Package-Manager: Portage-3.0.11, Repoman-3.0.2
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 www-apps/drupal/Manifest                           |  9 +--
 .../{drupal-7.74.ebuild => drupal-7.77.ebuild}     |  2 +-
 .../{drupal-8.8.11.ebuild => drupal-8.8.12.ebuild} |  2 +-
 .../{drupal-8.9.9.ebuild => drupal-8.9.12.ebuild}  |  2 +-
 .../{drupal-9.0.8.ebuild => drupal-9.0.10.ebuild}  |  2 +-
 www-apps/drupal/drupal-9.1.2.ebuild                | 68 ++++++++++++++++++++++
 6 files changed, 77 insertions(+), 8 deletions(-)
Comment 6 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2021-01-11 21:08:37 UTC
Apologies for the delay, but I'm still recreating my development environment for web applications.
Comment 7 John Helmert III gentoo-dev Security 2021-01-11 21:28:37 UTC
(In reply to Jorge Manuel B. S. Vicetto from comment #6)
> Apologies for the delay, but I'm still recreating my development environment
> for web applications.

Fortunately from here it's quick ;)

Tree is clean, noglsa, all done.