Bug 1561854 (CVE-2018-7600)

Summary: CVE-2018-7600 drupal: Unsanitized requests allow remote attackers to execute arbitrary code
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: ccoleman, dedgar, dmcphers, gwync, jgoulding, jsmith.fedora, peter.borsa, shawn, stickster
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: drupal 7.58, drupal 8.3.9, drupal 8.4.6, drupal 8.5.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-21 04:06:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1561855, 1561856, 1561857, 1561858, 1561859    
Bug Blocks: 1565116    

Description Sam Fowler 2018-03-29 04:30:17 UTC 
Drupal versions 6, 7 and 8 do not properly sanitize requests allowing remote attackers without credentials to execute arbitrary code.

This issue was patched in the following versions:
Drupal 7.58
Drupal 8.3.9
Drupal 8.4.6
Drupal 8.5.1


External References:

https://www.drupal.org/sa-core-2018-002
https://groups.drupal.org/security/faq-2018-002


Upstream Patches:

https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=2266d2a83db50e2f97682d9a0fb8a18e2722cba5
https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f
Comment 1 Sam Fowler 2018-03-29 04:30:45 UTC 
Created drupal8 tracking bugs for this issue:

Affects: fedora-all [bug 1561855]


Created drupal7 tracking bugs for this issue:

Affects: fedora-all [bug 1561857]
Affects: epel-all [bug 1561858]


Created drupal6 tracking bugs for this issue:

Affects: epel-6 [bug 1561856]
Comment 4 Fedora Update System 2019-03-12 21:47:51 UTC 
drupal6-6.38-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 Shawn Iwinski 2019-03-21 03:24:14 UTC 
All dependent bugs have been closed.  Can this tracking bug be closed?
Comment 6 Sam Fowler 2019-03-21 04:06:47 UTC 
In reply to comment #5:
> All dependent bugs have been closed.  Can this tracking bug be closed?

Yep, closed.