Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 612884 (CVE-2017-6377, CVE-2017-6379, CVE-2017-6381) - <www-apps/drupal-8.2.7: multiple vulnerabilities (CVE-2017-{6377,6379,6381})
Summary: <www-apps/drupal-8.2.7: multiple vulnerabilities (CVE-2017-{6377,6379,6381})
Status: RESOLVED FIXED
Alias: CVE-2017-6377, CVE-2017-6379, CVE-2017-6381
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://www.drupal.org/SA-2017-001
Whiteboard: ~2 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-03-17 10:28 UTC by Thomas Deutschmann
Modified: 2017-03-17 10:33 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev 2017-03-17 10:28:48 UTC
Incoming details.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2017-03-17 10:30:21 UTC
CVE-2017-6381 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6381):
  A 3rd party development library including with Drupal 8 development
  dependencies is vulnerable to remote code execution. This is mitigated by
  the default .htaccess protection against PHP execution, and the fact that
  Composer development dependencies aren't normal installed. You might be
  vulnerable to this if you are running a version of Drupal before 8.2.2. To
  be sure you aren't vulnerable, you can remove the <siteroot>/vendor/phpunit
  directory from your production deployments

CVE-2017-6379 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6379):
  Some administrative paths in Drupal 8.2.x before 8.2.7 did not include
  protection for CSRF. This would allow an attacker to disable some blocks on
  a site. This issue is mitigated by the fact that users would have to know
  the block ID.

CVE-2017-6377 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6377):
  When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the
  editor will not correctly check access for the file being attached,
  resulting in an access bypass.
Comment 2 Thomas Deutschmann gentoo-dev 2017-03-17 10:33:39 UTC
Already in repository. Repository is clean. All done.