June 2020 - Security-news - lists.drupal.org

Extending Drupal 7's End-of-Life - PSA-2020-06-24
by security-news＠drupal.org 24 Jun '20

24 Jun '20

View online: https://www.drupal.org/psa-2020-06-24 Date: 2020-June-24 Description: Previously, Drupal 7's end-of-life was scheduled for November 2021. Given the impact of COVID-19 on budgets and businesses, we will be extending the end of life until *November 28, 2022*. The Drupal Security Team will continue to follow the Security Team processes [1] for Drupal 7 core and contributed projects. However, this means extra work from the Drupal community at large and the security team in particular to review security reports, create patches, and release security advisories for Drupal 7. This community effort will give site owners more time while budgets recover, but the organizations that sponsor security team members and the individual security team members who volunteer their time could use your support. If you can, please donate to support the end-of-life extension [2]. *Drupal 8 will still be end-of-life on November 2, 2021*, due to Symfony 3's end of life [3]. However, since the upgrade path from Drupal 8 to Drupal 9 is much easier, we don't anticipate the same impact on end-users. .... What does this mean for my Drupal 7 site? You can continue to run the site and get security updates via the normal channels and processes. This will give you an extra year to work on converting your site to Drupal 9. .. Do I need to upgrade to Drupal 8 before I upgrade to Drupal 9? Migrating directly from Drupal 7 to Drupal 9 is supported with the core Migrate module. Read more on preparing a Drupal 7 site for Drupal 9 [4]. .... How can I help? *Consider donating [5] to support this effort.* If you are a representative of a large end-user of Drupal, we'd love you to join the Drupal Association and the security team as a partner. You can also consider getting more involved in fixing issues in the issue queue [6] or joining the Security Team [7] as a way to support the effort. .... What about Drupal 7 Vendor Extended Support? The extended support will now run from November 2022 until November 2025. You can read more about the Druapl 7 Vendor Extended Support program [8]. .... What about contributed projects? The Security Team will continue to follow the Security Team processes [9] for contributed projects. Contributed project maintainers are asked to consider supporting existing Drupal 7 releases if they are able. [1] https://www.drupal.org/drupal-security-team/security-team-procedures [2] http://drupal.org/security-team/donate [3] https://symfony.com/releases/3.4 [4] https://www.drupal.org/docs/understanding-drupal/drupal-9-release-date-and-… [5] http://drupal.org/security-team/donate [6] https://www.drupal.org/project/issues/drupal?text=&status=Open&priorities=A… [7] https://www.drupal.org/drupal-security-team/how-to-join-the-drupal-security… [8] https://www.drupal.org/drupal-security-team/information-for-organizations-i… [9] https://www.drupal.org/drupal-security-team/security-team-procedures

1 0

Internationalization - Moderately critical - Cross site scripting - SA-CONTRIB-2020-025
by security-news＠drupal.org 17 Jun '20

17 Jun '20

View online: https://www.drupal.org/sa-contrib-2020-025 Project: Internationalization [1] Version: 7.x-1.x-dev Date: 2020-June-17 Security risk: *Moderately critical* 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross site scripting Description: The Internationalization (i18n) [3] module is a collection of modules to extend Drupal core multilingual capabilities and allows to build real life multilingual sites. A value in the term translation module is displayed without being escaped leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Edit terms in " on a taxonomy vocabulary with i18n term translation enabled and the victim uses the i18n term translation page. Solution: Install the latest version: * If you use the Internationalization (i18n) [4] module for Drupal 7.x, upgrade to i18n 7.x-1.27 [5] Also see the Internationalization [6] project page. Reported By: * Guillaume MEMEINT [7] Fixed By: * Guillaume MEMEINT [8] * Peter Philipp [9] Coordinated By: * Greg Knaddison [10] of the Drupal Security Team [1] https://www.drupal.org/project/i18n [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/i18n [4] https://www.drupal.org/project/i18n [5] https://www.drupal.org/node/3152334 [6] https://www.drupal.org/project/i18n [7] https://www.drupal.org/user/2760067 [8] https://www.drupal.org/user/2760067 [9] https://www.drupal.org/user/762870 [10] https://www.drupal.org/user/36762

1 0

Drupal core - Less critical - Access bypass - SA-CORE-2020-006
by security-news＠drupal.org 17 Jun '20

17 Jun '20

View online: https://www.drupal.org/sa-core-2020-006 Project: Drupal core [1] Date: 2020-June-17 Security risk: *Less critical* 8∕25 AC:Complex/A:User/CI:None/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Access bypass CVE IDs: CVE-2020-13665 Description: JSON:API PATCH requests may bypass validation for certain fields. By default, JSON:API works in a read-only mode which makes it impossible to exploit the vulnerability. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable. Solution: Install the latest version: * If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8 [3]. * If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1 [4]. * If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1 [5]. Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.8. Reported By: * Sergii Bondarenko [6] Fixed By: * Sergii Bondarenko [7] * Wim Leers [8] * Jess [9] of the Drupal Security Team * Lee Rowlands [10] of the Drupal Security Team [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/drupal/releases/8.8.8 [4] https://www.drupal.org/project/drupal/releases/8.9.1 [5] https://www.drupal.org/project/drupal/releases/9.0.1 [6] https://www.drupal.org/user/2802285 [7] https://www.drupal.org/user/2802285 [8] https://www.drupal.org/user/99777 [9] https://www.drupal.org/user/65776 [10] https://www.drupal.org/user/395439

1 0

Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-005
by security-news＠drupal.org 17 Jun '20

17 Jun '20

View online: https://www.drupal.org/sa-core-2020-005 Project: Drupal core [1] Date: 2020-June-17 Security risk: *Critical* 17∕25 AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon [2] Vulnerability: Arbitrary PHP code execution CVE IDs: CVE-2020-13664 Description: Drupal 8 and 9 have a remote code execution vulnerability under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability. Windows servers are most likely to be affected. Solution: Install the latest version: * If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8 [3]. * If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1 [4]. * If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1 [5]. Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.8. Reported By: * Lorenzo G [6] * Sam Thomas [7] Fixed By: * Jess [8] of the Drupal Security Team * Samuel Mortenson [9] of the Drupal Security Team * Peter Wolanin [10] of the Drupal Security Team * Lorenzo G [11] * Lee Rowlands [12] of the Drupal Security Team * Greg Knaddison [13] of the Drupal Security Team * Cash Williams [14] of the Drupal Security Team * Heine [15] of the Drupal Security Team * Drew Webber [16] of the Drupal Security Team * Alex Pott [17] of the Drupal Security Team * Gábor Hojtsy [18] [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/drupal/releases/8.8.8 [4] https://www.drupal.org/project/drupal/releases/8.9.1 [5] https://www.drupal.org/project/drupal/releases/9.0.1 [6] https://www.drupal.org/user/3644903 [7] https://www.drupal.org/user/3603418 [8] https://www.drupal.org/user/65776 [9] https://www.drupal.org/user/2582268 [10] https://www.drupal.org/user/49851 [11] https://www.drupal.org/user/3644903 [12] https://www.drupal.org/user/395439 [13] https://www.drupal.org/user/36762 [14] https://www.drupal.org/user/421070 [15] https://www.drupal.org/user/17943 [16] https://www.drupal.org/user/255969 [17] https://www.drupal.org/user/157725 [18] https://www.drupal.org/user/4166

1 0

Drupal core - Critical - Cross Site Request Forgery - SA-CORE-2020-004
by security-news＠drupal.org 17 Jun '20

17 Jun '20

View online: https://www.drupal.org/sa-core-2020-004 Project: Drupal core [1] Date: 2020-June-17 Security risk: *Critical* 15∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Request Forgery CVE IDs: CVE-2020-13663 Description: The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities. Solution: * If you are using Drupal 7.x, upgrade to Drupal 7.72 [3]. * If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8 [4]. * If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1 [5]. * If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1 [6]. Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.8. Reported By: * Samuel Mortenson [7] of the Drupal Security Team * Dor Tumarkin [8] Fixed By: * Greg Knaddison [9] of the Drupal Security Team * Samuel Mortenson [10] of the Drupal Security Team * Jess [11] of the Drupal Security Team * Lee Rowlands [12] of the Drupal Security Team * Angie Byron [13] of the Drupal Security Team * Peter Wolanin [14] of the Drupal Security Team * Daniel Wehner [15] * Dor Tumarkin [16] * Drew Webber [17] of the Drupal Security Team * Alex Pott [18] of the Drupal Security Team * David Snopek [19] of the Drupal Security Team [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/drupal/releases/7.72 [4] https://www.drupal.org/project/drupal/releases/8.8.8 [5] https://www.drupal.org/project/drupal/releases/8.9.1 [6] https://www.drupal.org/project/drupal/releases/9.0.1 [7] https://www.drupal.org/user/2582268 [8] https://www.drupal.org/user/3648639 [9] https://www.drupal.org/user/36762 [10] https://www.drupal.org/user/2582268 [11] https://www.drupal.org/user/65776 [12] https://www.drupal.org/user/395439 [13] https://www.drupal.org/user/24967 [14] https://www.drupal.org/user/49851 [15] https://www.drupal.org/user/99340 [16] https://www.drupal.org/user/3648639 [17] https://www.drupal.org/user/255969 [18] https://www.drupal.org/user/157725 [19] https://www.drupal.org/user/266527

1 0

Open ReadSpeaker - Moderately critical - Cross site scripting - SA-CONTRIB-2020-024
by security-news＠drupal.org 10 Jun '20

10 Jun '20

View online: https://www.drupal.org/sa-contrib-2020-024 Project: Open ReadSpeaker [1] Version: 8.x-1.x-dev Date: 2020-June-10 Security risk: *Moderately critical* 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross site scripting Description: This module enables you to add a configured ReadSpeaker button for text-to-speech for your site visitors. The module doesn't sufficiently sanitize block configuration causing a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks". Solution: Install the latest version: * If you use the Open ReadSpeaker module for Drupal 8.x, upgrade to Open ReadSpeaker 8.x-1.5 [3] Also see the Open ReadSpeaker [4] project page. Reported By: * Ide Braakman [5] Fixed By: * Sven Schüring [6] Coordinated By: * Greg Knaddison [7] of the Drupal Security Team [1] https://www.drupal.org/project/open_readspeaker [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/open_readspeaker/releases/8.x-1.5 [4] https://www.drupal.org/project/open_readspeaker [5] https://www.drupal.org/user/1879760 [6] https://www.drupal.org/user/1515828 [7] https://www.drupal.org/user/36762

1 0

YubiKey - Less critical - Access bypass - SA-CONTRIB-2020-023
by security-news＠drupal.org 10 Jun '20

10 Jun '20

View online: https://www.drupal.org/sa-contrib-2020-023 Project: YubiKey [1] Version: 7.x-2.x-dev Date: 2020-June-10 Security risk: *Less critical* 9∕25 AC:Complex/A:None/CI:None/II:None/E:Theoretical/TD:All [2] Vulnerability: Access bypass Description: This module enables you to use a Yubikey device to protect your Drupal user account. YubiKey is a secure method for logging into many websites using a cryptographically secure USB token. The module doesn't sufficiently implement login flood control when the module is configured for YubiKey OTP only. This allows an attacker to attempt many YubiKey OTP codes. However, a brute force attack on this code is not practical in most situations given the length and randomness of the OTP codes. Solution: Install the latest version: * If you use the Yubikey module for Drupal 7.x, upgrade to Yubikey 7.x-2.3 [3] Also see the YubiKey [4] project page. Reported By: * majorrobot [5] Fixed By: * Todd Johnson [6] * majorrobot [7] * Kurucz István [8] Coordinated By: * Greg Knaddison [9] of the Drupal Security Team [1] https://www.drupal.org/project/yubikey [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/yubikey/releases/7.x-2.3 [4] https://www.drupal.org/project/yubikey [5] https://www.drupal.org/user/168019 [6] https://www.drupal.org/user/263058 [7] https://www.drupal.org/user/168019 [8] https://www.drupal.org/user/58654 [9] https://www.drupal.org/user/36762

1 0

Services - Moderately critical - Access bypass - SA-CONTRIB-2020-022
by security-news＠drupal.org 03 Jun '20

03 Jun '20

View online: https://www.drupal.org/sa-contrib-2020-022 Project: Services [1] Version: 7.x-3.x-dev Date: 2020-June-03 Security risk: *Moderately critical* 11∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:All [2] Vulnerability: Access bypass Description: This module provides a standardized solution for building API's so that external clients can communicate with Drupal. The module's taxonomy term index resource doesn't take into consideration certain access control tags provided (but unused) by core, that certain contrib modules depend on. This vulnerability is mitigated by the fact your site must have the taxonomy term index resource enabled, your site must have a contributed module enabled which utilizes taxonomy term access control, and an attacker must know your api endpoint's path. Solution: Install the latest version: * If you use the Services module for Drupal 7.x, upgrade to Services 7.x-3.26 [3] Also see the Services [4] project page. Reported By: * Vadym Abramchuk [5] Fixed By: * Vadym Abramchuk [6] * Tyler Frankenstein [7] Coordinated By: * Greg Knaddison [8] of the Drupal Security Team [1] https://www.drupal.org/project/services [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/node/3144924 [4] https://www.drupal.org/project/services [5] https://www.drupal.org/user/3216035 [6] https://www.drupal.org/user/3216035 [7] https://www.drupal.org/user/150680 [8] https://www.drupal.org/user/36762

1 0