June 2022 - Security-news - lists.drupal.org

Lottiefiles Field - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-046
by security-news＠drupal.org 29 Jun '22

29 Jun '22

View online: https://www.drupal.org/sa-contrib-2022-046 Project: Lottiefiles Field [1] Date: 2022-June-29 Security risk: *Moderately critical* 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Scripting Description: The Lottiefiles Field module enables you to integrate the lottiefiles features into your page. The module does not sufficiently filter user-provided text on output, resulting in a Cross-Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create or edit content that has lottiefiles fields. Solution: Install the latest version: * If you use the lottifiles_field module for Drupal 8.x or 9.x, upgrade to Lottiefiles Field 1.0.3 [3]. Reported By: * Conrad Lara [4] Fixed By: * Hari Venu [5] * Conrad Lara [6] Coordinated By: * Greg Knaddison [7] of the Drupal Security Team [1] https://www.drupal.org/project/lottiefiles_field [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/lottiefiles_field/releases/1.0.3 [4] https://www.drupal.org/user/1790054 [5] https://www.drupal.org/user/3386122 [6] https://www.drupal.org/user/1790054 [7] https://www.drupal.org/user/36762

1 0

Config Terms - Critical - Access bypass - SA-CONTRIB-2022-047
by security-news＠drupal.org 29 Jun '22

29 Jun '22

View online: https://www.drupal.org/sa-contrib-2022-047 Project: Config Terms [1] Date: 2022-June-29 Security risk: *Critical* 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All [2] Vulnerability: Access bypass Description: This module enables you to create and manage a version of taxonomy based on configuration entities instead of content. This allows the terms, vocabularies, and their structure to be exported, imported, and managed as site configuration. The module doesn't sufficiently check access for the edit and delete operations. Users with "access content" permission can edit or delete any term. The edit form may expose term data that users could not otherwise see, since there is no term view route by default. This vulnerability is slightly mitigated by the fact that an attacker must have a role with the permission "access content", so may not be accessible to anonymous users on all sites. Solution: Install the latest version: * If you use the Config Terms module for Drupal 9.x, upgrade to Config Terms 8.x-1.6 [3] or later Reported By: * Emil Johnsson [4] Fixed By: * Emil Johnsson [5] * Justin Ludwig [6] [1] https://www.drupal.org/project/config_terms [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/config_terms/releases/8.x-1.6 [4] https://www.drupal.org/user/1868992 [5] https://www.drupal.org/user/1868992 [6] https://www.drupal.org/user/669258

1 0

Updated security policy for Drupal core Composer dependencies - PSA-2022-06-20
by security-news＠drupal.org 20 Jun '22

20 Jun '22

View online: https://www.drupal.org/psa-2022-06-20 Date: 2022-June-20 Description: .... In Drupal 9.4 and higher, drupal/core-recommended allows patch-level vendor updates The drupal/core-recommended metapackage now allows patch-level updates for Composer dependencies. This means that site owners using drupal/core-recommended can now install most Composer dependency security updates themselves, without needing to wait for an upstream release of Drupal core that updates the affected package. For example, in the future, a Guzzle vendor update like the recent Guzzle security release [1] can be installed by running: composer update guzzlehttp/guzzle The change record on drupal/core-recommended and patch-level updates [2] has more detailed information on how this change affects site dependency management. .... Drupal security advisories and same-day releases for vendor updates will only be issued if Drupal core is known to be exploitable It is the Drupal Security Team's policy to create new core releases and issue security advisories for third-party vendor libraries only if an exploit is possible in Drupal core. However, both the earlier version of the drupal/core-recommended metapackage and Drupal.org file archive downloads restrict sites to the exact Composer dependency versions used in Drupal core. Therefore, in practice, we have issued numerous security advisories (or same-day releases without security advisories) where only contributed or custom code might be vulnerable. For Drupal 9.4.0 and higher, the Security Team plans to no longer issue these "just-in-case" security advisories for Composer dependency security updates. Instead, the dependency updates will be handled as public security hardenings, and will be included alongside other bugfixes in normal Drupal core patch releases. These security hardenings may be released within a few days as off-schedule bugfix releases if contributed projects are known to be vulnerable, or on the next scheduled monthly bugfix window [3] for uncommon or theoretical vulnerabilities. (Keep in mind that Drupal core often already mitigates vulnerabilities present in its dependencies, so automated security scanners sometimes raise false positives when an upstream CVE is announced.) Site owners are responsible for monitoring security announcements for third-party dependencies as well as for Drupal projects [4], and for installing dependency security updates when necessary. .... Sites built using .tar.gz or .zip file downloads should convert to drupal/core-recommended for same-day dependency updates Drupal 9.4 sites built with tarball or zip file archives will no longer receive the same level of security support for core dependencies. Going forward, if core is not known to be exploitable, the core file downloads' dependencies will be updated in normal bugfix releases within a few days (if contributed projects are known to be vulnerable) to a few weeks (if the vulnerability is uncommon or theoretical). Sites built with tarball or zip files should convert to using drupal/core-recommended [5] to apply security updates more promptly than the above timeframe. .... Drupal 9.3 will receive prompt, best-effort updates until its end of life Drupal 9.3 receives security coverage until the release of Drupal 9.5.0 in December 2022, and will not include the above improvement to drupal/core-recommended. Therefore, we will still try to provide prompt releases of Drupal 9.3 for vendor security updates when it is possible for us to do so. Since normal bugfixes are no longer backported to Drupal 9.3, there will already be few to no other changes between its future releases, so dependency updates may be released as normal bugfix releases (rather than security-only releases). Security advisories for Drupal 9.3 vendor updates may still be issued depending on the nature of the vulnerability. .... Drupal 7 is not affected by this change and Drupal 7 core file downloads remain fully covered by the Drupal Security Team Drupal 7 core includes only limited use of third-party dependencies (in particular, the jQuery and jQuery UI JavaScript packages). Therefore, Drupal 7 is not affected by this policy change. Note that Drupal 7 sites that use third-party libraries with Drupal 7 contributed modules must still monitor and apply updates for those third-party libraries [6]. For press contacts, please email security-press(a)drupal.org [7]. [1] https://www.drupal.org/sa-core-2022-011 [2] https://www.drupal.org/node/3285240 [3] https://www.drupal.org/about/core/policies/core-release-cycles/schedule#mon… [4] https://www.drupal.org/psa-2011-002 [5] https://www.drupal.org/docs/user_guide/en/install-composer.html#s-convertin… [6] https://www.drupal.org/psa-2011-002 [7] mailto:security-press@drupal.org

1 0

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-011
by security-news＠drupal.org 10 Jun '22

10 Jun '22

View online: https://www.drupal.org/sa-core-2022-011 Project: Drupal core [1] Date: 2022-June-10 Security risk: *Moderately critical* 13∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Third-party libraries CVE IDs: CVE-2022-31042CVE-2022-31043 Description: Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released two security advisories: * Failure to strip the Cookie header on change in host or HTTP downgrade [3] * Fix failure to strip Authorization header on HTTP downgrade [4] These do not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites. We are issuing this security advisory outside our regular Drupal security release window schedule [5] since Guzzle has already published information about the vulnerabilities, and vulnerabilities might exist in contributed modules or custom modules that use Guzzle for outgoing requests. Guzzle has rated these vulnerabilities as high-risk. This advisory is not covered by Drupal Steward. Solution: Install the latest version: * If you are using Drupal 9.4, update to Drupal 9.4.0-rc2 [6]. * If you are using Drupal 9.3, update to Drupal 9.3.16 [7]. * If you are using Drupal 9.2, update to Drupal 9.2.21 [8]. All versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life [9]. Drupal 7 is not affected. Reported By: * GHaddon [10] * Jeroen Tubex [11] * Yasen Ivanov [12] Fixed By: * Heine [13] of the Drupal Security Team * Dave Long [14] * Damien McKenna [15] of the Drupal Security Team * Michael Hess [16] of the Drupal Security Team * cilefen [17] of the Drupal Security Team * xjm [18] of the Drupal Security Team * Benji Fisher [19] [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9 [4] https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q [5] https://www.drupal.org/node/1173280 [6] https://www.drupal.org/project/drupal/releases/9.4.0-rc2 [7] https://www.drupal.org/project/drupal/releases/9.3.16 [8] https://www.drupal.org/project/drupal/releases/9.2.21 [9] https://www.drupal.org/psa-2021-06-29 [10] https://www.drupal.org/user/1507580 [11] https://www.drupal.org/user/2228934 [12] https://www.drupal.org/user/3513564 [13] https://www.drupal.org/user/17943 [14] https://www.drupal.org/user/246492 [15] https://www.drupal.org/user/108450 [16] https://www.drupal.org/user/102818 [17] https://www.drupal.org/user/1850070 [18] https://www.drupal.org/user/65776 [19] https://www.drupal.org/user/683300

1 0