Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 831818 (CVE-2021-41184, SA-CORE-2022-001) - www-apps/drupal: XSS in the `of` option of the `.position()` util
Summary: www-apps/drupal: XSS in the `of` option of the `.position()` util
Status: CONFIRMED
Alias: CVE-2021-41184, SA-CORE-2022-001
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://www.drupal.org/sa-core-2022-001
Whiteboard: ~4 [ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-01-22 13:15 UTC by Tupone Alfredo
Modified: 2022-02-10 06:41 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tupone Alfredo gentoo-dev 2022-01-22 13:15:58 UTC
update to Drupal 9.2.11.
update to Drupal 7.87.
drupal-8 and drupal 9 < 9.2 do not receive security update

Reproducible: Always
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-01-22 18:34:19 UTC
Thank you for reporting!

"Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. As part of this 1.13.0 update, they disclosed the following security issue that may affect Drupal 9 and 7:

    CVE-2021-41184: XSS in the `of` option of the `.position()` util

It is possible that this vulnerability is exploitable with some Drupal modules. As a precaution, this Drupal security release applies the fix for the above cross-site description issue, without making any of the other changes to the jQuery version that is included in Drupal."

Maintainers, please bump.
Comment 2 Larry the Git Cow gentoo-dev 2022-02-10 06:41:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4f32fd46a00b538c6b808c388d88833d103d62f0

commit 4f32fd46a00b538c6b808c388d88833d103d62f0
Author:     Alfredo Tupone <tupone@gentoo.org>
AuthorDate: 2022-02-10 06:41:10 +0000
Commit:     Alfredo Tupone <tupone@gentoo.org>
CommitDate: 2022-02-10 06:41:10 +0000

    www-apps/drupal: 7.87 bump
    
    Bug: https://bugs.gentoo.org/831818
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Alfredo Tupone <tupone@gentoo.org>

 www-apps/drupal/Manifest           |  1 +
 www-apps/drupal/drupal-7.87.ebuild | 58 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 59 insertions(+)