Context, a drupal module, which allows you to manage contextual conditions and reactions for different portions of your site, was found to have two severe security issues. First issue is that the module allows execution of PHP code via manipulation of a URL argument in a path used for AJAX operations when running in a configuration without a json_decode function provided by PHP or the PECL JSON library. The vulnerability is This vulnerability is only exploitable on a server running a PHP version prior to 5.2 that does not have the json library installed. Second issue is that the module uses Drupal's token scheme to restrict access to the json rendering of a block. This control mechanism is insufficient as Drupal's token scheme is designed to provide security between two different sessions (or a session and a non authenticated user) and is not designed to provide security within a session. The vulnerability is mitigated by needing blocks that have sensitive information. The suggested fix is to update Drupal6-context to 6.x-3.2 and Drupal7-context to 7.x-3.0. References: http://seclists.org/fulldisclosure/2013/Oct/118 https://drupal.org/node/2113317
Created drupal6-context tracking bugs for this issue: Affects: fedora-all [bug 1020780] Affects: epel-6 [bug 1020783]
Created drupal7-context tracking bugs for this issue: Affects: fedora-all [bug 1020781] Affects: epel-all [bug 1020784]
drupal7-context-3.1-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
drupal7-context-3.1-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
drupal7-context-3.1-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
drupal7-context-3.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
drupal7-context-3.1-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
It has been updated but one issue left. However I cannot see it because I get "access denied" https://bugzilla.redhat.com/show_bug.cgi?id=1020785 Should I do anything else?
All dependant bugs are closed. Should the owners of the packages close this bug or should you close it?