[Secure-testing-team] Bug#696342: [drupal7] SA-CORE-2012-004 - Drupal core - Multiple vulnerabilities in Drupal 6 & 7

Ingo Juergensmann ij at 2011.bluespice.org
Wed Dec 19 19:58:23 UTC 2012 

Package: drupal7
Version: 7.14-1.1
Severity: critical
Tags: security
X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org

--- Please enter the report below this line. ---

Hi!

There's a security update for Drupal6 and Drupal7 available. Please 
include the patch for not question the Drupal Server about new version 
available this time, otherwise the users will be prompted by a wrong 
security warning, which is already solved. Thanks!


http://drupal.org/SA-CORE-2012-004


Multiple vulnerabilities were fixed in the supported Drupal core 
versions 6 and 7.
Access bypass (User module search - Drupal 6 and 7)

A vulnerability was identified that allows blocked users to appear in 
user search results, even when the search results are viewed by 
unprivileged users.

This vulnerability is mitigated by the fact that the default Drupal core 
user search results only display usernames (and disclosure of usernames 
is not considered a security vulnerability). However, since modules or 
themes may override the search results to display more information from 
each user's profile, this could result in additional information about 
blocked users being disclosed on some sites.

CVE: Requested.
Access bypass (Upload module - Drupal 6)

A vulnerability was identified that allows information about uploaded 
files to be displayed in RSS feeds and search results to users that do 
not have the "view uploaded files" permission.

This issue affects Drupal 6 only.

CVE: Requested.
Arbitrary PHP code execution (File upload modules - Drupal 6 and 7)

Drupal core's file upload feature blocks the upload of many files that 
can be executed on the server by munging the filename. A malicious user 
could name a file in a manner that bypasses this munging of the filename 
in Drupal's input validation.

This vulnerability is mitigated by several factors: The attacker would 
need the permission to upload a file to the server. Certain combinations 
of PHP and filesystems are not vulnerable to this issue, though we did 
not perform an exhaustive review of the supported PHP versions. Finally: 
the server would need to allow execution of files in the uploads 
directory. Drupal core has protected against this with a .htaccess file 
protection in place from SA-2006-006 - Drupal Core - Execution of 
arbitrary files in certain Apache configurations. Users of IIS should 
consider updating their web.config. Users of Nginx should confirm that 
only the index.php and other known good scripts are executable. Users of 
other webservers should review their configuration to ensure the goals 
are achieved in some other way.

CVE: Requested.

CVE identifier(s) issued

     A CVE identifier will be requested, and added upon issuance, in 
accordance with Drupal Security Team processes.

Versions affected

     Drupal core 6.x versions prior to 6.27.
     Drupal core 7.x versions prior to 7.18.

Solution

Install the latest version:

     If you use Drupal 6.x, upgrade to Drupal core 6.27.
     If you use Drupal 7.x, upgrade to Drupal core 7.18.

--- System information. ---
Architecture: amd64
Kernel:       Linux 3.2.0-4-amd64

Debian Release: 7.0
   500 unstable        www.deb-multimedia.org
   500 unstable        ftp.de.debian.org
     1 experimental    ftp.de.debian.org

--- Package information. ---
Depends                    (Version) | Installed
====================================-+-============
debconf                    (>= 0.5)  | 1.5.48
  OR debconf-2.0                      |
apache2                              | 2.2.22-12
  OR httpd                            |
php5                                 | 5.4.4-10
php5-mysql                           | 5.4.4-10
  OR php5-pgsql                       | 5.4.4-10
php5-gd                              | 5.4.4-10
default-mta                          |
  OR mail-transport-agent             |
wwwconfig-common         (>= 0.0.37) | 0.2.2
mysql-client                         | 5.5.28+dfsg-1
  OR virtual-mysql-client             |
  OR postgresql-client                | 9.1+134wheezy2
dbconfig-common                      | 1.8.47+nmu1
curl                                 | 7.28.0-3


Recommends        (Version) | Installed
===========================-+-===========
mysql-server                | 5.5.28+dfsg-1
  OR postgresql              | 9.1+134wheezy2


Package's Suggests field is empty.




-- 
Ciao...            //      Fon: 0381-2744150
       Ingo       \X/       http://blog.windfluechter.net
Please don't share this address with Facebook or Google!
gpg pubkey: http://www.juergensmann.de/ij_public_key.asc

More information about the Secure-testing-team mailing list