Security-news December 2016

security-news@drupal.org

1 participants
2 discussions

PHPmailer 3rd party library -- DRUPAL-SA-PSA-2016-004
by security-news＠drupal.org 26 Dec '16

26 Dec '16

View online: https://www.drupal.org/node/2839366 * Advisory ID: DRUPAL-SA-PSA-2016-004 * Project: PHPMailer [1] (third-party library) * Version: 7.x, 8.x * Date: 2016-December-26 * Security risk: 23/25 ( Highly Critical) AC:None/A:User/CI:All/II:All/E:Exploit/TD:All [2] * Vulnerability: Arbitrary PHP code execution -------- DESCRIPTION --------------------------------------------------------- The PHPMailer and SMTP modules (and maybe others) add support for sending e-mails using the 3rd party PHPMailer library. In general the Drupal project does not create advisories for 3rd party libraries. Drupal site maintainers should pay attention to the notifications provided by those 3rd party libraries as outlined in PSA-2011-002 - External libraries and plugins [3]. However, given the extreme criticality of this issue and the timing of its release we are issuing a Public Service Announcement to alert potentially affected Drupal site maintainers. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * CVE-2016-10033 -------- VERSIONS AFFECTED --------------------------------------------------- All versions of the external PHPMailer library < 5.2.18. Drupal core is not affected. If you do not use the contributed PHPMailer [4] third party library, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Upgrade to the newest version of the phpmailler library. https://github.com/PHPMailer/PHPMailer [5] -------- IF YOU ARE USING THE SMTP MODULE [6] -------------------------------- The SMTP module has a modified third party PHPMailer library in its codebase. The modified version of the library is not affected. A special thanks to Fabiano Sant'Ana [7], SMTP module [8] maintainer, for working on this with short notice. -------- REPORTED BY --------------------------------------------------------- * Dawid Golunski -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [13] [1] https://github.com/PHPMailer/PHPMailer [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/node/1189632 [4] https://github.com/PHPMailer/PHPMailer [5] https://github.com/PHPMailer/PHPMailer [6] https://www.drupal.org/project/smtp [7] https://www.drupal.org/u/wundo [8] https://www.drupal.org/project/smtp [9] https://www.drupal.org/contact [10] https://www.drupal.org/security-team [11] https://www.drupal.org/writing-secure-code [12] https://www.drupal.org/security/secure-configuration [13] https://twitter.com/drupalsecurity

1 0

High-performance JavaScript callback handler - Highly Critical - Multiple vulnerabilities - SA-CONTRIB-2016-063
by security-news＠drupal.org 07 Dec '16

07 Dec '16

View online: https://www.drupal.org/node/2833790 * Advisory ID: DRUPAL-SA-CONTRIB-2016-063 * Project: High-performance JavaScript callback handler [1] (third-party module) * Version: 7.x * Date: 2016-December-07 * Security risk: 22/25 ( Highly Critical) AC:None/A:None/CI:All/II:All/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting, Access bypass, Cross Site Request Forgery, Open Redirect, Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- The High-performance JavaScript callback handler module is a light weight callback to bypass most, if not all, of Drupal's bootstrapping process to achieve improved performance. The module does not sufficiently check whether or not a callback is being properly accessed or filtering for potential XSS or CSRF exploits. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * High-performance JavaScript callback handler (js) 7.x-1.x versions prior to 7.x-2.1. Drupal core is not affected. If you do not use the contributed High-performance JavaScript callback handler [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the js module for Drupal 7.x, upgrade to js 7.x-2.1 [5] *Note:* this upgrade is not backwards compatible with 7.x-1.x. Existing contrib and custom module implementations of this API will either need to be upgraded, replaced or removed. Also see the High-performance JavaScript callback handler [6] project page. -------- REPORTED BY --------------------------------------------------------- * Anthony Leach (anthonyleach) [7] -------- FIXED BY ------------------------------------------------------------ * Mark Carver (markcarver) [8] - module maintainer -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] https://www.drupal.org/project/js [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/js [5] https://www.drupal.org/project/js/releases/7.x-2.1 [6] https://www.drupal.org/project/js [7] https://www.drupal.org/u/anthonyleach [8] https://www.drupal.org/u/markcarver [9] https://www.drupal.org/u/mlhess [10] https://www.drupal.org/contact [11] https://www.drupal.org/security-team [12] https://www.drupal.org/writing-secure-code [13] https://www.drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news December 2016