Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 743169 (CVE-2020-13666) - <www-apps/drupal-{7.73,8.8.10,8.9.6,9.0.6} Cross-site scripting (CVE-2020-13666)
Summary: <www-apps/drupal-{7.73,8.8.10,8.9.6,9.0.6} Cross-site scripting (CVE-2020-13666)
Status: RESOLVED FIXED
Alias: CVE-2020-13666
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://www.drupal.org/sa-core-2020-007
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-09-17 17:24 UTC by Tupone Alfredo
Modified: 2020-09-17 19:26 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tupone Alfredo gentoo-dev 2020-09-17 17:24:46 UTC 
The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting

    If you are using Drupal 7.x, upgrade to Drupal 7.73.
    If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10.
    If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6.
    If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6.


Reproducible: Always
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-09-17 19:24:17 UTC 
Thanks! Package has already been bumped and cleaned up, so all done.

commit 2a70bf4141d0eeb3262d3781e803a5a6c9102a0f
Author: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
Date:   Thu Sep 17 16:25:29 2020 +0000

    www-apps/drupal: Drop vulnerable releases.

    Package-Manager: Portage-3.0.6, Repoman-3.0.1
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 delete mode 100644 www-apps/drupal/drupal-7.72.ebuild
 delete mode 100644 www-apps/drupal/drupal-8.8.8.ebuild
 delete mode 100644 www-apps/drupal/drupal-8.8.9.ebuild
 delete mode 100644 www-apps/drupal/drupal-8.9.1.ebuild
 delete mode 100644 www-apps/drupal/drupal-8.9.2.ebuild
 delete mode 100644 www-apps/drupal/drupal-8.9.3.ebuild
 delete mode 100644 www-apps/drupal/drupal-8.9.5.ebuild
 delete mode 100644 www-apps/drupal/drupal-9.0.1.ebuild
 delete mode 100644 www-apps/drupal/drupal-9.0.2.ebuild
 delete mode 100644 www-apps/drupal/drupal-9.0.3.ebuild
 delete mode 100644 www-apps/drupal/drupal-9.0.5.ebuild

commit 453cea4859ead1fd76c35568b89124f94a6ce629
Author: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
Date:   Thu Sep 17 16:20:33 2020 +0000

    www-apps/drupal: Security bumps.

    Version bump to 9.0.6, 8.9.6, 8.8.10 and 7.73 releases.
    Security issues SA-CORE-2020-{006,007,008,009,010,011}.

    Package-Manager: Portage-3.0.6, Repoman-3.0.1
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 create mode 100644 www-apps/drupal/drupal-7.73.ebuild
 create mode 100644 www-apps/drupal/drupal-8.8.10.ebuild
 create mode 100644 www-apps/drupal/drupal-8.9.6.ebuild
 create mode 100644 www-apps/drupal/drupal-9.0.6.ebuild