Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 20 Nov 2012 13:35:32 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Forest Monsen <forest.monsen@...il.com>
Subject: Re: CVE Request for Drupal Contributed Modules

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/17/2012 10:29 PM, Forest Monsen wrote:
> Hello!
> 
> Here's a batch CVE request for a number of previously published
> and resolved issues with contributed modules for the Drupal
> project. As noted in
> http://www.openwall.com/lists/oss-security/2012/11/05/4, I have
> volunteered to coordinate our CVE requests.
> 
> Forest Monsen, on behalf of the Drupal Security Team

Please see bottom of email for CVEs

> - SA-CONTRIB-2012-146 - Simplenews Scheduler - Arbitrary code
> execution http://drupal.org/node/1789284
> 
> - SA-CONTRIB-2012-147 - FileField Sources - Cross Site Scripting
> (XSS) http://drupal.org/node/1789306
> 
> - SA-CONTRIB-2012-148 - Organic Groups - Access Bypass 
> http://drupal.org/node/1796036
> 
> - SA-CONTRIB-2012-149 - Hostip - Cross Site Scripting (XSS) 
> http://drupal.org/node/1802218
> 
> - SA-CONTRIB-2012-150 - Twitter Pull - Cross Site Scripting (XSS) 
> http://drupal.org/node/1802230
> 
> - SA-CONTRIB-2012-151 - Commerce Extra Panes - Cross Site Request 
> Forgery http://drupal.org/node/1802258
> 
> - SA-CONTRIB-2012-152 - Feeds - Access bypass 
> http://drupal.org/node/1808832
> 
> - SA-CONTRIB-2012-153 - Mandrill - Information Disclosure 
> http://drupal.org/node/1808846
> 
> - SA-CONTRIB-2012-154 - Basic webmail - Cross Site Scripting 
> http://drupal.org/node/1808852
> 
> - SA-CONTRIB-2012-154 - Basic webmail - Information Disclosure 
> http://drupal.org/node/1808852
> 
> - SA-CONTRIB-2012-155 - ShareThis - Cross Site Scripting (XSS) 
> http://drupal.org/node/1808856
> 
> - SA-CONTRIB-2012-156 - Search API - Cross Site Request Forgery
> (CSRF) http://drupal.org/node/1815770
> 
> - SA-CONTRIB-2012-157 - Time Spent - Cross Site Scripting (XSS) 
> http://drupal.org/node/1822066
> 
> - SA-CONTRIB-2012-157 - Time Spent - Cross Site Request Forgery
> (CSRF) http://drupal.org/node/1822066
> 
> - SA-CONTRIB-2012-157 - Time Spent - SQL Injection 
> http://drupal.org/node/1822066
> 
> - SA-CONTRIB-2012-158 - MailChimp - Cross Site Scripting (XSS) 
> http://drupal.org/node/1822166
> 
> - SA-CONTRIB-2012-159 - Password policy - Information disclosure 
> http://drupal.org/node/1828340
> 
> - SA-CONTRIB-2012-160 - OM Maximenu - Cross Site Scripting (XSS) 
> http://drupal.org/node/1834866
> 
> - SA-CONTRIB-2012-161 - Webform CiviCRM Integration - Access
> Bypass http://drupal.org/node/1834868
> 
> - SA-CONTRIB-2012-162 - RESTful Web Services - Cross site request 
> forgery (CSRF) http://drupal.org/node/1840740
> 
> - SA-CONTRIB-2012-163 - User Read-Only - Permission escalation 
> http://drupal.org/node/1840886
> 
> - SA-CONTRIB-2012-164 - Smiley module and Smileys module - Cross
> Site Scripting (XSS) http://drupal.org/node/1840892
> 
> - SA-CONTRIB-2012-165 - Chaos tool suite (ctools) - Cross Site 
> Scripting (XSS) http://drupal.org/node/1840992

Please use the following:

CVE-2012-5537 Drupal SA-CONTRIB-2012-146
CVE-2012-5538 Drupal SA-CONTRIB-2012-147
CVE-2012-5539 Drupal SA-CONTRIB-2012-148
CVE-2012-5540 Drupal SA-CONTRIB-2012-149
CVE-2012-5541 Drupal SA-CONTRIB-2012-150
CVE-2012-5542 Drupal SA-CONTRIB-2012-151
CVE-2012-5543 Drupal SA-CONTRIB-2012-152
CVE-2012-5544 Drupal SA-CONTRIB-2012-153
CVE-2012-5545 Drupal SA-CONTRIB-2012-155 XSS
CVE-2012-5546 Drupal SA-CONTRIB-2012-155 Information Disclosure
CVE-2012-5547 Drupal SA-CONTRIB-2012-156
CVE-2012-5548 Drupal SA-CONTRIB-2012-157 XSS
CVE-2012-5549 Drupal SA-CONTRIB-2012-157 CSRF
CVE-2012-5550 Drupal SA-CONTRIB-2012-157 SQL Injection
CVE-2012-5551 Drupal SA-CONTRIB-2012-158
CVE-2012-5552 Drupal SA-CONTRIB-2012-159
CVE-2012-5553 Drupal SA-CONTRIB-2012-160
CVE-2012-5554 Drupal SA-CONTRIB-2012-161
CVE-2012-5556 Drupal SA-CONTRIB-2012-162
CVE-2012-5557 Drupal SA-CONTRIB-2012-163
CVE-2012-5558 Drupal SA-CONTRIB-2012-164
CVE-2012-5559 Drupal SA-CONTRIB-2012-165

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQq+mUAAoJEBYNRVNeJnmTMTwP/0aGGaza6YomFJs55tOYR0Ro
IbaqollVILrYeXOnAg9mVkeGAUJWkx1VNJh6K/SIhAWZF1Diy4evBuT+FwHjq5uy
rKwARLQ8BS62qnxLfSX/cXwQpCxk1jzbV9voiqKJkcsNxPz+1bfQxcD+qIocOCrg
zn4+RAtEdOeHCd0rL+nEnt2pQTk3EeSx7paGC6JhMtiFksXY06QdgKYZac3AbPII
MsysTKPJso3RfDHJc7i0v4fiTUn7HgzIU8UUPdkhPdMJ2Y/HXxdxJnzRhgnNlNkp
XZWc9ifLxHGlZlDBDspMjcpgX/4B90akeq2gtCKxZXlYZO31VOAv8eE2w9xKhOB6
v/0O6D+iT+4mThNjcSaQy1+3WVXyO2pG8zh/kMXWsWF0ZjSPgxQtuLzSpCFkDeu5
iDVmrKT6cquuC6ae8O2FAk9mhlSftE4noS5yNETzm5i2130YUM2KcabXjzJsutHo
lhFppm5pLXUrhsf4ukW1dF1AuMqSER7+NZLJ4APOuctkAdLz5C/jRjlx3k9OzCM5
M/xcKQmgXLlvc5+LS6oqxgv9UL60DNpNrigfuqeMhSqQXKxhT0XJ8K4EW7lc/pJE
gMODwy7LswyzwtQuZWkh0vMCqMoWDfL/8GdWxoEDrz2pTDYAwr0YsqV38+iwF+CC
+ueqh5siyTISyiGn30hy
=9r93
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ