Bug 896467 (CVE-2013-0244, CVE-2013-0245, CVE-2013-0246, SA-CORE-2013-001)
Summary: | drupal6, drupal7: Multiple security flaws fixed in upstream 6.28 and 7.19 versions (SA-CORE-2013-001) | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | gwync, jokajak, kris.buytaert, lmacken, peter.borsa, rbean, sdodson, stickster, sven |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Drupal 6.28, Drupal 7.19 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-02-01 15:29:39 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 896468, 896469, 896470, 896471 | ||
Bug Blocks: |
Description
Jan Lieskovsky
2013-01-17 11:33:24 UTC
These issues affect the versions of the drupal6 and drupal7 packages, as shipped with Fedora release of 16, 17, Fedora EPEL 5, and Fedora EPEL 6. Please schedule an update. Created drupal7 tracking bugs for this issue Affects: fedora-all [bug 896470] Affects: epel-all [bug 896471] Created drupal6 tracking bugs for this issue Affects: fedora-all [bug 896468] Affects: epel-all [bug 896469] Besides the above affected versions the first "Cross-site scripting (Various core and contributed modules - Drupal 6 and 7)" issue (affecting JQuery versions earlier to 1.6.3, as stated in the description: "jQuery versions 1.6.3 and higher provide protection against common forms of this problem; thus, the vulnerability is mitigated if your site has upgraded to a recent version of jQuery." JQuery upstream bug: http://bugs.jquery.com/ticket/9521 JQuery 1.6.3 notes: http://blog.jquery.com/2011/09/01/jquery-1-6-3-released/ affects the versions of the drupal7-jquery_update package, as shipped with Fedora release of 16, 17, Fedora EPEL 5 and Fedora EPEL 6 (as it also contains jquery.js source code and currently upgrades JQuery JavaScript library to upstream 1.5.2 version only). Please schedule drupal7-jquery_update package update too. The XSS JQuery < JQuery 1.6.3 issue affects also the versions of the python-tw-jquery package, as shipped with Fedora release of 16, 17, Fedora EPEL 5, and Fedora EPEL 6. Please schedule an update. (the embedded version of the JQuery JavaScript library there is jQuery pre-1.2.4 and is located in BUILD/tw.jquery-0.9.10/tw/jquery/static/javascript/validate/lib/jquery.js) (In reply to comment #0) Based on: http://www.openwall.com/lists/oss-security/2013/01/31/4 > Drupal upstream has released 6.28 and 7.19 versions to correct multiple > security issues ([1]): > * Cross-site scripting (Various core and contributed modules - Drupal 6 and > 7): 1) the CVE identifier of CVE-2013-0244 has been assigned to the following issue: A reflected cross-site scripting vulnerability (XSS) was identified in certain Drupal JavaScript functions that pass unexpected user input into jQuery causing it to insert HTML into the page when the intended behavior is to select DOM elements. Multiple core and contributed modules are affected by this issue. > * Access bypass (Book module printer friendly version - Drupal 6 and 7): > ======================================================================== 2) The CVE identifier of CVE-2013-0245 has been assigned to the Book module issue. > > > * Access bypass (Image module - Drupal 7): > ========================================== 3) And CVE identifier of CVE-2013-0246 has been assigned to the Image module issue. The CVE identifier of CVE-2011-4969 has been assigned to the JQuery < 1.6.3 version XSS issue. This issue is now tracked under separate bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4969 and I am also going to move jQuery relevant various Fedora components bugs to be linked to that new, CVE-2011-4969 bug. Closing this bug - the CVE-2013-0244, CVE-2013-0245, CVE-2013-0246 issues has been corrected in various drupal versions as shipped within Fedora / Fedora EPEL already, and we will deal with the jQuery CVE-2011-4969 related components issues in a new, CVE-2011-4969 bug. This bug is not needed anymore. |