Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 600124 (CVE-2016-9449, CVE-2016-9450, CVE-2016-9451, CVE-2016-9452, DRUPAL-SA-CORE-2016-005) - <www-apps/drupal-{7.52,8.2.3}: Multiple Vulnerabilities (DRUPAL-SA-CORE-2016-005)
Summary: <www-apps/drupal-{7.52,8.2.3}: Multiple Vulnerabilities (DRUPAL-SA-CORE-2016-...
Status: RESOLVED FIXED
Alias: CVE-2016-9449, CVE-2016-9450, CVE-2016-9451, CVE-2016-9452, DRUPAL-SA-CORE-2016-005
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.drupal.org/SA-CORE-2016-005
Whiteboard: ~2 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-11-17 20:13 UTC by MickKi
Modified: 2017-01-06 09:30 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description MickKi 2016-11-17 20:13:49 UTC
Multiple security vulnerabilities for drupal versions <7.52 and <8.2.3, as per drupal advisory: DRUPAL-SA-CORE-2016-005.

Reproducible: Always



Expected Results:  
Please bring <www-apps/drupal-{7.52,8.2.3} in the tree.

Vulnerabilities listed in are:

1. Inconsistent name for term access query (Less critical - Drupal 7 and Drupal 8)
2. Incorrect cache context on password reset page (Less critical - Drupal 8)
3. Confirmation forms allow external URLs to be injected (Moderately critical - Drupal 7)
4. Denial of service via transliterate mechanism (Moderately critical - Drupal 8)
Comment 1 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2016-11-18 04:13:34 UTC
04:07 < gentoovcs> jmbsvicetto → repo/gentoo (www-apps/drupal/) Add 8.2.3 and 7.52 releases - (DRUPAL-SA-CORE-2016-005) bug 600124.
04:07 < gentoovcs> jmbsvicetto → repo/gentoo (www-apps/drupal/) Drop old and vulnerable versions.
Comment 2 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2016-11-18 11:26:45 UTC
11:20 < gentoovcs> jmbsvicetto → repo/gentoo (www-apps/drupal/) www-apps/drupal: Drop 8.1.10 as it's vulnerable to DRUPAL-SA-CORE-2016-005 - bug 600124. Mask 6.38 as it's no longer supported and will be removed at the end of the year.

This drops or masks the remaining versions, so there's no more clean-up to be done.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-11-18 12:01:54 UTC
Dropped by maintainer:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a4d65ab86c0e0478b81e4ce5a0672000bd5b9628

Drupal 6 will stay package.masked in tree until the end of the year with appropriate security warning.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=908cbb45d54f2717cb3edde5c1dc015718f644db
Comment 4 MickKi 2016-11-18 18:44:20 UTC
(In reply to Jorge Manuel B. S. Vicetto from comment #2)

> This drops or masks the remaining versions, so there's no more clean-up to
> be done.

I may misunderstand what you've written, so just to confirm:

Both Drupal 8.2.3 and Drupal 7.52 are not vulnerable and continue to be supported by the project, so both should stay on the tree.  Meanwhile, Drupal 6 has been announced EoL since 24 February 2016 and is of course unsupported.  It may be better if drupal was slotted as the architectural differences between different major versions are significant and migration between them is not a trivial exercise.

HTH.
-- 
Regards,
Mick
Comment 5 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2016-11-20 16:19:25 UTC
(In reply to MickKi from comment #4)
> (In reply to Jorge Manuel B. S. Vicetto from comment #2)
> 
> > This drops or masks the remaining versions, so there's no more clean-up to
> > be done.
> 
> I may misunderstand what you've written, so just to confirm:
> 
> Both Drupal 8.2.3 and Drupal 7.52 are not vulnerable and continue to be
> supported by the project, so both should stay on the tree.  Meanwhile,
> Drupal 6 has been announced EoL since 24 February 2016 and is of course
> unsupported.  It may be better if drupal was slotted as the architectural
> differences between different major versions are significant and migration
> between them is not a trivial exercise.

https://gitweb.gentoo.org/repo/gentoo.git/commit/www-apps/drupal?id=a4d65ab86c0e0478b81e4ce5a0672000bd5b9628
https://gitweb.gentoo.org/repo/gentoo.git/commit/profiles/package.mask?id=908cbb45d54f2717cb3edde5c1dc015718f644db

So I dropped the vulnerable 8.1.10 version and masked the 6.38 release.

> HTH.
> -- 
> Regards,
> Mick
Comment 6 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-01-06 09:30:32 UTC
commit fc20a1ad964731a5394196d52c464f4d60b77607
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: Fri Jan 6 10:24:12 2017
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: Fri Jan 6 10:29:32 2017

    www-apps/drupal: Clean 6.38 up (masked for removal), #600124