Bug 786856 (CVE-2012-0826)

Summary: CVE-2012-0826 drupal6, drupal7: XSRF in the Aggregator module (SA-CORE-2012-001)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gwync, stickster, sven
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-14 01:24:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jan Lieskovsky 2012-02-02 15:26:15 UTC 
A Cross Site Request Forgery (CSRF) flaw was found in the way the Aggregator module of Drupal, the content management system, performed retrieval of syndicated content from other websites. A remote attacker could provide a specially-crafted URL, which once visited by an unsuspecting Drupal user could lead to the Aggregator module to attempt to in unlimited way obtain feeds from remote websites, which in case the remote site enforced an upper bound / limit for count of feeds, which could be obtained during certain time interval, could lead to denial of service for the victim.

References:
[1] http://drupal.org/node/1425084
Comment 1 Jan Lieskovsky 2012-02-02 15:34:48 UTC 
This issue is scheduled to be corrected in the following drupal6 package
updates:
1) drupal6-6.24-1.el6  for Fedora EPEL 6,
2) drupal6-6.24-1.el5  for Fedora EPEL 5,
3) drupal6-6.24-1.fc15  for Fedora 15, 
4) drupal6-6.24-1.fc16  for Fedora 16.
Comment 2 Jan Lieskovsky 2012-02-02 15:40:30 UTC 
This issue is scheduled to be corrected in the following drupal7 package updates:
1) drupal7-7.12-1.el6 for Fedora EPEL 6,
2) drupal7-7.12-1.el5 for Fedora EPEL 5,
3, drupal7-7.12-1.fc16 	for Fedora 16,
4) drupal7-7.12-1.fc15 	for Fedora 15.
Comment 3 Paul W. Frields 2012-03-14 01:24:53 UTC 
These packages have been released for all Fedora and EPEL branches.