Comment 1 Larry the Git Cow 2018-03-28 19:30:15 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/dev/jmbsvicetto.git/commit/?id=7a9178b3c9af6525215548fa76cf503f31bddaf3

commit 7a9178b3c9af6525215548fa76cf503f31bddaf3
Author:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
AuthorDate: 2018-03-28 19:27:05 +0000
Commit:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
CommitDate: 2018-03-28 19:27:05 +0000

    www-apps/drupal: Security releases to address PSA-2018-001 (7.58, 8.4.6 and 8.5.1).
    Bug: https://bugs.gentoo.org/651822
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 www-apps/drupal/{drupal-7.57.ebuild => drupal-7.58.ebuild}   | 0
 www-apps/drupal/{drupal-8.4.5.ebuild => drupal-8.4.6.ebuild} | 0
 www-apps/drupal/{drupal-8.5.0.ebuild => drupal-8.5.1.ebuild} | 0
 3 files changed, 0 insertions(+), 0 deletions(-)}

Comment 2 Larry the Git Cow 2018-03-28 19:38:19 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=07ad56cacfc2e859666544708d1ffd80f0a84cea

commit 07ad56cacfc2e859666544708d1ffd80f0a84cea
Author:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
AuthorDate: 2018-03-28 19:37:33 +0000
Commit:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
CommitDate: 2018-03-28 19:37:33 +0000

    www-apps/drupal: Security releases to address PSA-2018-001 (7.58, 8.4.6 and 8.5.1).
    Bug: https://bugs.gentoo.org/651822
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 www-apps/drupal/Manifest                           |  5 +-
 .../{drupal-7.57.ebuild => drupal-7.58.ebuild}     |  0
 .../{drupal-8.4.5.ebuild => drupal-8.4.6.ebuild}   |  0
 www-apps/drupal/drupal-8.5.1.ebuild                | 86 ++++++++++++++++++++++
 4 files changed, 89 insertions(+), 2 deletions(-)}

Comment 3 Thomas Deutschmann (RETIRED) 2018-03-28 21:46:10 UTC

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.


How dangerous is this issue?

Drupal security advisories include a risk score based on the NIST Common Misuse Scoring System. This helps give an objective sense of the risk of different issues. The risk of SA-CORE-2018-002 is scored 21/25 ( Highly Critical) AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Default.

In the long form this means:

    How difficult is it for the attacker to leverage the vulnerability? None (user visits page).

    What privilege level is required for an exploit to be successful? None (all/anonymous users).

    Does this vulnerability cause non-public data to be accessible? All non-public data is accessible.

    Can this exploit allow system data (or data handled by the system) to be compromised? All data can be modified or deleted.

    Does a known exploit exist? Theoretical or white-hat (no public exploit code or documentation on development exists)

    What percentage of users are affected? Default or common module configurations are exploitable, but a config change can disable the exploit.


https://groups.drupal.org/security/faq-2018-002

Comment 4 Thomas Deutschmann (RETIRED) 2018-03-28 21:46:47 UTC

Package has no affected stable ebuild. Repository is clean. All done.