News Block

Drupal Core - Critical - Access Bypass - SA-CORE-2017-002

Drupal Core Security - Wed, 04/19/2017 - 13:13
Description

This is a critical access bypass vulnerability. A site is only affected by this if all of the following conditions are met:

  • The site has the RESTful Web Services (rest) module enabled.
  • The site allows PATCH requests.
  • An attacker can get or register a user account on the site.

While we don't normally provide security releases for unsupported minor releases, given the potential severity of this issue, we have also provided an 8.2.x release to ensure that sites that have not had a chance to update to 8.3.0 can update safely.

CVE identifier(s) issued
  • CVE-2017-6919
Versions affected
  • Drupal 8 prior to 8.2.8 and 8.3.1.
  • Drupal 7.x is not affected.
Solution
  • If the site is running Drupal 8.2.7 or earlier, upgrade to 8.2.8.
  • If the site is running Drupal 8.3.0, upgrade to 8.3.1.

Also see the Drupal core project page.

Reported by Fixed by Coordinated by
  • The Drupal Security team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-001

Drupal Core Security - Wed, 03/15/2017 - 15:24

Drupal 8.2.7, a maintenance release which contains fixes for security vulnerabilities, is now available for download.

Update your existing Drupal 8 sites is strongly recommended. There are no new features nor non-security-related bug fixes in this release. See the 8.2.7 release notes for details on important changes and known issues affecting this release. Read on for details of the security vulnerabilities that were fixed in this release.

  • Advisory ID: DRUPAL-SA-CORE-2017-001
  • Project: Drupal core
  • Version: 8.x
  • Date: 2017-March-15
Description Editor module incorrectly checks access to inline private files - Drupal 8 - Access Bypass - Critical - CVE-2017-6377

When adding a private file via a configured text editor (like CKEditor), the editor will not correctly check access for the file being attached, resulting in an access bypass.

Some admin paths were not protected with a CSRF token - Drupal 8 - Cross Site Request Forgery - Moderately Critical - CVE-2017-6379

Some administrative paths did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.

Remote code execution - Drupal 8 - Remote code execution - Moderately Critical - CVE-2017-6381

A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution.

This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed.

You might be vulnerable to this if you are running a version of Drupal before 8.2.2. To be sure you aren’t vulnerable, you can remove the /vendor/phpunit directory from the site root of your production deployments.

Solution

Update to Drupal 8.2.7

Reported by Editor module incorrectly checks access to inline private files - Drupal 8 - Access Bypass - Critical - CVE-2017-6377 Some admin paths were not protected with a CSRF token - Drupal 8 - Cross Site Request Forgery - Moderately Critical - CVE-2017-6379 Remote code execution - Drupal 8 - Remote code execution - Moderately Critical - CVE-2017-6381 Fixed by Editor module incorrectly checks access to inline private files - Drupal 8 - Access Bypass - Critical - CVE-2017-6377 Some admin paths were not protected with a CSRF token - Drupal 8 - Cross Site Request Forgery - Moderately Critical - CVE-2017-6379 Remote code execution - Drupal 8 - Remote code execution -Moderately Critical - CVE-2017-6381 Updates

Updated the above text to link to the correct update directions.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal 6.12

Drupal 6.x Upgrade Project - Thu, 05/14/2009 - 13:07

Drupal 6.12 and 5.18, maintenance releases fixing problems reported using the bug tracking system, as well as a critical security vulnerability, are now available for download. Drupal 6.12 also fixes "account page opens automatically after login" among other smaller issues.

Upgrading your existing Drupal 5 and 6 sites is strongly recommended.

For more info see Drupal 6.12 and 5.18 released, SA-CORE-2009-006 - Drupal core - Cross site scripting and Upgrade Drupal to 6.12.

read more

Drupal 6.11

Drupal 6.x Upgrade Project - Wed, 04/29/2009 - 21:03

Drupal 6.11 and 5.17, maintenance releases fixing problems reported using the bug tracking system, as well as a critical security vulnerability, are now available for download. Drupal 6.11 also fixes performance issues with the menu cache and update status cache among other smaller issues.

Upgrading your existing Drupal 5 and 6 sites is strongly recommended.

For more info see Drupal 6.11 and 5.17 released, SA-CORE-2009-005 - Drupal core - Cross site scripting and Upgrade Drupal to 6.11.

read more

BobbyMods Drupal 6.x Upgrade Project

Drupal 6.x Upgrade Project - Tue, 02/24/2009 - 14:32

Here you can find all 'loose' Drupal 6.x core upgrade projects.

If your project is maintained by BobbyMods.com then your upgrade will be found at your project.

This project is only for CORE upgrades that do not fall within a regular project.
If you need to also update modules and themes (or the need to do so arises during the update), that will be a separate project.

Pending

Drupal 6.x Upgrade Project - Tue, 02/24/2009 - 14:32
TitleIssue StatusPriorityCategoryVersionComponentChanged

read more

Syndicate content