Bug 1192959

Summary: drupal-views: multiple vulnerabilities (SA-CONTRIB-2015-039)
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ccoleman, dmcphers, gwync, hello, jialiu, joelsmith, jokerman, jsmith.fedora, kseifried, lmeyer, mmccomas, shawn, stickster, vkaigoro
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Views 6.x-2.18, Views 6.x-3.2, Views 7.x-3.10 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-10 21:01:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1192960, 1192961, 1192962, 1192963, 1192964    
Bug Blocks:    

Description Vasyl Kaigorodov 2015-02-16 11:04:40 UTC 
2 vulnerabilities were reported [1] in Drupal Views module.

Open redirect vulnerability

The module does not sanitize user provided URLs when processing the page to break the lock on Views being edited, thereby exposing an open redirect attack vector.

This vulnerability is mitigated by the fact that the Views UI submodule must be enabled.
Access bypass vulnerability

The module does not protect the default Views configurations that ship with the module sufficiently, thereby exposing possibly protected information to unprivileged users.

This vulnerability is mitigated by the fact that it only affects sites that have not granted the common "access content" or "access comments" permission to untrusted users. Furthermore, these default views configurations are disabled by default and must be enabled by an administrator.

CVE request:
http://seclists.org/oss-sec/2015/q1/549

[1]: https://www.drupal.org/node/2424403
Comment 2 Vasyl Kaigorodov 2015-02-16 11:06:45 UTC 
Created drupal6-views tracking bugs for this issue:

Affects: fedora-all [bug 1192960]
Affects: epel-all [bug 1192962]
Comment 3 Vasyl Kaigorodov 2015-02-16 11:06:48 UTC 
Created drupal7-views tracking bugs for this issue:

Affects: fedora-all [bug 1192961]
Affects: epel-all [bug 1192963]
Comment 4 Peter Borsa 2015-02-16 14:30:33 UTC 
Hi!

Do I need to edit drupal7-views update to add these BZ issue numbers(1192961, 1192963)? Because I've submitted them before you created these BZ issues.

Thanks!
Comment 5 Peter Borsa 2015-02-16 14:32:34 UTC 
As I can see Jon (limb) has updated drupal6-views as well.

https://admin.fedoraproject.org/updates/search/drupal6-views
Comment 6 Vasyl Kaigorodov 2015-02-17 09:41:04 UTC 
(In reply to Peter Borsa from comment #4)
> Do I need to edit drupal7-views update to add these BZ issue
> numbers(1192961, 1192963)? Because I've submitted them before you created
> these BZ issues.

Peter, for completeness and sanity I would say that it will be good to have both these BZs mentioned in the update.
Comment 7 Peter Borsa 2015-02-20 13:18:04 UTC 
Done, I've just added those ones. Thank you, Vasyl!
Comment 8 Fedora Update System 2015-02-23 08:03:50 UTC 
drupal6-views-2.18-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2015-02-28 17:57:31 UTC 
drupal6-views-2.18-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Peter Borsa 2015-04-23 06:20:54 UTC 
Hi Vasyl!

Can we close this issue because the updated modules are in stable repositories?
Comment 11 Vasyl Kaigorodov 2015-04-23 07:57:22 UTC 
(In reply to Peter Borsa from comment #10)
> Hi Vasyl!
> 
> Can we close this issue because the updated modules are in stable
> repositories?

Hi Peter,

Same as bug 1182940, this one affects OpenShift Online which is not yet fixed - this bug should remain open.
Comment 12 Peter Borsa 2015-04-23 07:59:20 UTC 
Hi,

Okay, thank you!