628210 – (CVE-2017-6923, CVE-2017-6924, CVE-2017-6925) <www-apps/drupal-8.3.7: Access Bypass (CVE-2017-692{3,4,5})

Bug 628210 (CVE-2017-6923, CVE-2017-6924, CVE-2017-6925) - <www-apps/drupal-8.3.7: Access Bypass (CVE-2017-692{3,4,5})

Summary: <www-apps/drupal-8.3.7: Access Bypass (CVE-2017-692{3,4,5})

Status:	RESOLVED FIXED

Alias:	CVE-2017-6923, CVE-2017-6924, CVE-2017-6925

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial
Assignee:	Gentoo Security

URL:	https://www.drupal.org/SA-CORE-2017-004
Whiteboard:	~2 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2017-08-18 18:17 UTC by MickKi
Modified:	2017-09-01 19:58 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description MickKi 2017-08-18 18:17:18 UTC

Drupal-8 versions prior to 8.3.7 should be updated to mitigate critical security vulnerabilities described in https://www.drupal.org/SA-CORE-2017-004

Reproducible: Always




Security vulnerabilities dealt with under version 8.3.7:

1. Views - Access Bypass - Moderately Critical - Drupal 8 - CVE-2017-6923
2. REST API can bypass comment approval - Access Bypass - Moderately Critical - Drupal 8 - CVE-2017-6924
3. Entity access bypass for entities that do not have UUIDs or have protected revisions - Access Bypass - Critical - Drupal 8 - CVE-2017-6925

Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-09-01 01:04:13 UTC

(In reply to MickKi from comment #0)

Thank you for the report.

@Maintainers, could you please bump to 8.3.7 and let us know when tree is clean of vulnerable versions?

Thanks,

Gentoo Security Padawan
ChrisADR

Comment 2 Jorge Manuel B. S. Vicetto (RETIRED) gentoo-dev

2017-09-01 19:21:34 UTC

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=948ae511fc39a8656ffa0091f126d216d091bc21

www-apps/drupal: Security version bump CVE-2017-692{3,4,5} - fixes bug 628210.

Vulnerable versions removed from the tree.