Red Hat Bugzilla – Bug 786856
CVE-2012-0826 drupal6, drupal7: XSRF in the Aggregator module (SA-CORE-2012-001)
Last modified: 2012-03-13 21:24:53 EDT
A Cross Site Request Forgery (CSRF) flaw was found in the way the Aggregator module of Drupal, the content management system, performed retrieval of syndicated content from other websites. A remote attacker could provide a specially-crafted URL, which once visited by an unsuspecting Drupal user could lead to the Aggregator module to attempt to in unlimited way obtain feeds from remote websites, which in case the remote site enforced an upper bound / limit for count of feeds, which could be obtained during certain time interval, could lead to denial of service for the victim.
This issue is scheduled to be corrected in the following drupal6 package
1) drupal6-6.24-1.el6 for Fedora EPEL 6,
2) drupal6-6.24-1.el5 for Fedora EPEL 5,
3) drupal6-6.24-1.fc15 for Fedora 15,
4) drupal6-6.24-1.fc16 for Fedora 16.
This issue is scheduled to be corrected in the following drupal7 package updates:
1) drupal7-7.12-1.el6 for Fedora EPEL 6,
2) drupal7-7.12-1.el5 for Fedora EPEL 5,
3, drupal7-7.12-1.fc16 for Fedora 16,
4) drupal7-7.12-1.fc15 for Fedora 15.
These packages have been released for all Fedora and EPEL branches.