View online: https://www.drupal.org/node/2839366
* Advisory ID: DRUPAL-SA-PSA-2016-004
* Project: PHPMailer [1] (third-party library)
* Version: 7.x, 8.x
* Date: 2016-December-26
* Security risk: 23/25 ( Highly Critical)
AC:None/A:User/CI:All/II:All/E:Exploit/TD:All [2]
* Vulnerability: Arbitrary PHP code execution
-------- DESCRIPTION
---------------------------------------------------------
The PHPMailer and SMTP modules (and maybe others) add support for sending
e-mails using the 3rd party PHPMailer library.
In general the Drupal project does not create advisories for 3rd party
libraries. Drupal site maintainers should pay attention to the notifications
provided by those 3rd party libraries as outlined in PSA-2011-002 - External
libraries and plugins [3]. However, given the extreme criticality of this
issue and the timing of its release we are issuing a Public Service
Announcement to alert potentially affected Drupal site maintainers.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* CVE-2016-10033
-------- VERSIONS AFFECTED
---------------------------------------------------
All versions of the external PHPMailer library < 5.2.18.
Drupal core is not affected. If you do not use the contributed PHPMailer [4]
third party library, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Upgrade to the newest version of the phpmailler library.
https://github.com/PHPMailer/PHPMailer [5]
-------- IF YOU ARE USING THE SMTP MODULE [6]
--------------------------------
The SMTP module has a modified third party PHPMailer library in its codebase.
The modified version of the library is not affected.
A special thanks to Fabiano Sant'Ana [7], SMTP module [8] maintainer, for
working on this with short notice.
-------- REPORTED BY
---------------------------------------------------------
* Dawid Golunski
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [9].
Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and securing your site [12].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [13]
[1] https://github.com/PHPMailer/PHPMailer
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/node/1189632
[4] https://github.com/PHPMailer/PHPMailer
[5] https://github.com/PHPMailer/PHPMailer
[6] https://www.drupal.org/project/smtp
[7] https://www.drupal.org/u/wundo
[8] https://www.drupal.org/project/smtp
[9] https://www.drupal.org/contact
[10] https://www.drupal.org/security-team
[11] https://www.drupal.org/writing-secure-code
[12] https://www.drupal.org/security/secure-configuration
[13] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2833790
* Advisory ID: DRUPAL-SA-CONTRIB-2016-063
* Project: High-performance JavaScript callback handler [1]
(third-party
module)
* Version: 7.x
* Date: 2016-December-07
* Security risk: 22/25 ( Highly Critical)
AC:None/A:None/CI:All/II:All/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Scripting, Access bypass, Cross Site Request
Forgery, Open Redirect, Multiple vulnerabilities
-------- DESCRIPTION
---------------------------------------------------------
The High-performance JavaScript callback handler module is a light weight
callback to bypass most, if not all, of Drupal's bootstrapping process to
achieve improved performance.
The module does not sufficiently check whether or not a callback is being
properly accessed or filtering for potential XSS or CSRF exploits.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* High-performance JavaScript callback handler (js) 7.x-1.x versions prior
to 7.x-2.1.
Drupal core is not affected. If you do not use the contributed
High-performance JavaScript callback handler [4] module, there is nothing you
need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the js module for Drupal 7.x, upgrade to js 7.x-2.1 [5]
*Note:* this upgrade is not backwards compatible with 7.x-1.x. Existing
contrib and custom module implementations of this API will either need to be
upgraded, replaced or removed.
Also see the High-performance JavaScript callback handler [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Anthony Leach (anthonyleach) [7]
-------- FIXED BY
------------------------------------------------------------
* Mark Carver (markcarver) [8] - module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/js
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/js
[5] https://www.drupal.org/project/js/releases/7.x-2.1
[6] https://www.drupal.org/project/js
[7] https://www.drupal.org/u/anthonyleach
[8] https://www.drupal.org/u/markcarver
[9] https://www.drupal.org/u/mlhess
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity