lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1UPIv2-0002hB-SU@titan.mandriva.com>
Date: Mon, 08 Apr 2013 22:44:00 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2013:074 ] drupal

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2013:074
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : drupal
 Date    : April 8, 2013
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated drupal packages fix security vulnerabilities:
 
 Drupal core&#039;s text filtering system provides several features including
 removing inappropriate HTML tags and automatically linking content
 that appears to be a link. A pattern in Drupal&#039;s text matching was
 found to be inefficient with certain specially crafted strings. This
 vulnerability is mitigated by the fact that users must have the ability
 to post content sent to the filter system such as a role with the post
 comments or Forum topic: Create new content permission (CVE-2012-1588).
 
 Drupal core&#039;s Form API allows users to set a destination, but failed
 to validate that the URL was internal to the site. This weakness could
 be abused to redirect the login to a remote site with a malicious
 script that harvests the login credentials and redirects to the live
 site. This vulnerability is mitigated only by the end user&#039;s ability
 to recognize a URL with malicious query parameters to avoid the social
 engineering required to exploit the problem (CVE-2012-1589).
 
 Drupal core&#039;s forum lists fail to check user access to nodes when
 displaying them in the forum overview page. If an unpublished node
 was the most recently updated in a forum then users who should not
 have access to unpublished forum posts were still be able to see
 meta-data about the forum post such as the post title (CVE-2012-1590).
 
 Drupal core provides the ability to have private files, including
 images, and Image Styles which create derivative images from
 an original image that may differ, for example, in size or
 saturation. Drupal core failed to properly terminate the page request
 for cached image styles allowing users to access image derivatives for
 images they should not be able to view. Furthermore, Drupal didn&#039;t
 set the right headers to prevent image styles from being cached in
 the browser (CVE-2012-1591).
 
 Drupal core provides the ability to list nodes on a site at
 admin/content. Drupal core failed to confirm a user viewing that page
 had access to each node in the list. This vulnerability only concerns
 sites running a contributed node access module and is mitigated by the
 fact that users must have a role with the Access the content overview
 page permission. Unpublished nodes were not displayed to users who only
 had the Access the content overview page permission (CVE-2012-2153).
 
 The request_path function in includes/bootstrap.inc in Drupal 7.14
 and earlier allows remote attackers to obtain sensitive information
 via the q[] parameter to index.php, which reveals the installation
 path in an error message (CVE-2012-2922).
 
 A bug in the installer code was identified that allows an attacker to
 re-install Drupal using an external database server under certain
 transient conditions. This could allow the attacker to execute
 arbitrary PHP code on the original server (Drupal SA-CORE-2012-003).
 
 For sites using the core OpenID module, an information disclosure
 vulnerability was identified that allows an attacker to read files
 on the local filesystem by attempting to log in to the site using a
 malicious OpenID server (Drupal SA-CORE-2012-003).
 
 A vulnerability was identified that allows blocked users to appear
 in user search results, even when the search results are viewed by
 unprivileged users (CVE-2012-5651).
 
 Drupal core&#039;s file upload feature blocks the upload of many files that
 can be executed on the server by munging the filename. A malicious
 user could name a file in a manner that bypasses this munging of the
 filename in Drupal&#039;s input validation (CVE-2012-5653).
 
 Multiple vulnerabilities were fixed in the supported Drupal core
 version 7 (DRUPAL-SA-CORE-2013-001).
 
 A reflected cross-site scripting vulnerability (XSS) was identified
 in certain Drupal JavaScript functions that pass unexpected user input
 into jQuery causing it to insert HTML into the page when the intended
 behavior is to select DOM elements. Multiple core and contributed
 modules are affected by this issue.
 
 A vulnerability was identified that exposes the title or, in some
 cases, the content of nodes that the user should not have access to.
 
 Drupal core provides the ability to have private files, including
 images. A vulnerability was identified in which derivative images
 (which Drupal automatically creates from these images based on image
 styles and which may differ, for example, in size or saturation) did
 not always receive the same protection. Under some circumstances,
 this would allow users to access image derivatives for images they
 should not be able to view.
 
 The drupal package was updated to latest version 7.19 to fix above
 vulnerabilities.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1588
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1589
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1590
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1591
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2153
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2922
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5651
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5653
 https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0320
 https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0366
 https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0027
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 f7e2ac0cf930766d420279a2a0bfc22e  mbs1/x86_64/drupal-7.19-1.mbs1.noarch.rpm
 6784e3e6ed9351fa61098e23bbe5fb07  mbs1/x86_64/drupal-mysql-7.19-1.mbs1.noarch.rpm
 741d0588e1d0cff3af7b452df8debbc0  mbs1/x86_64/drupal-postgresql-7.19-1.mbs1.noarch.rpm
 003cd7ba5ae61de97c1cef44615dfe63  mbs1/x86_64/drupal-sqlite-7.19-1.mbs1.noarch.rpm 
 e71b3ac8637e33ffec59afe3e22a48be  mbs1/SRPMS/drupal-7.19-1.mbs1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFRYwHdmqjQ0CJFipgRAo7BAKCgB6HDJnZHVGe2WKfG59WaIIuF5ACg4TAJ
fxZyKJtyBraBNFAcdyvaECs=
=OYBl
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ