Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 4 Apr 2016 06:50:34 -0500
From: David Snopek <dsnopek@...il.com>
To: cve-assign@...re.org
Cc: Security Team <security@...pal.org>, oss-security@...ts.openwall.com
Subject: Re: [security] CVE requests for Drupal contributed modules (from
 2016-009 to 2016-014)

Hi,

Just as an FYI, there is a small team of vendors who are carrying on
Long-Term Support of Drupal 6 and some of its contrib modules:

http://drupal.org/project/d6lts

This affects one of the security issues you mentioned, in that the LTS
vendors ported the fix to the Drupal 6 version of Prepopulate and made an
unofficial release that contains it:

https://github.com/d6lts/prepopulate/releases/tag/6.x-2.3

I'm not sure if this matters to you, as these are completely unofficial
releases done by a group that isn't the same as the Drupal Security Team or
the upstream maintainers, but the ported patches and releases are (and will
be) publicly available. If you'd like, we can let you know about future
releases? Or if not. please feel free to ignore this note. :-)

Thanks,
David.

2016-03-17 10:23 GMT-05:00 <cve-assign@...re.org>:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> > Prepopulate - Access Bypass - SA-CONTRIB-2016-009
> > https://www.drupal.org/node/2679503
>
> >> The Prepopulate module does not adequately prevent a user from
> >> overwriting arbitrary parts of $_REQUEST. It also does not prevent
> >> pre-populating certain fields that are not displayed or manipulating
> >> markup fields to alter elements of the user interface.
>
> >> Versions affected
>
> >>    Prepopulate 7.x-2.x versions prior to 7.x-2.1.
>
> >>>
> http://cgit.drupalcode.org/prepopulate/commit/prepopulate.module?id=16cdb63cc3b256dd785e029ec17f92ddf80cc443
>
> Use CVE-2016-3187 for the issue associated with deleting the
> "parse_str(base64_decode($_REQUEST['pp']), $_REQUEST);" lines, and use
> CVE-2016-3188 for the issue associated with changing the value of
> $limited_types. (The 16cdb63cc3b256dd785e029ec17f92ddf80cc443 commit
> message does not seem closely related to the
> 16cdb63cc3b256dd785e029ec17f92ddf80cc443 code changes.)
>
> Our understanding is that the Prepopulate module was packaged in, for
> example, Fedora 23. The prepopulate-6.x-2.2.tar.gz file shipped in
> drupal6-prepopulate-2.2-4.fc23.src.rpm apparently does not have the
> 16cdb63cc3b256dd785e029ec17f92ddf80cc443 changes. Thus, we feel that
> the best available information is that CVE-2016-3187 and CVE-2016-3188
> affects or affected, at least, Fedora 23.
>
> (For example, see the
>
> http://fedora.mirror.lstn.net/releases/23/Everything/source/SRPMS/d/drupal6-prepopulate-2.2-4.fc23.src.rpm
> package file.)
>
> (We understand that Drupal 6 end-of-life was last month according to
> the https://www.drupal.org/drupal-6-eol post. We also understand that
>
> http://pkgs.fedoraproject.org/cgit/rpms/drupal6-prepopulate.git/commit?id=d77963c300289b6be29b5dc08d0662fc698068f4
> exists. However, drupal6-prepopulate-2.2-4.fc23 may still be in use on
> many Fedora 23 systems.)
>
> We may be sending a separate reply about the USASearch, Google
> Analytics Counter, Hubspot CTA, Node Notify, and Fieldable Panels
> Panes issues.
>
> - --
> CVE Assignment Team
> M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
> [ A PGP key is available for encrypted communications at
>   http://cve.mitre.org/cve/request_id.html ]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQIcBAEBCAAGBQJW6srrAAoJEL54rhJi8gl5J/4P/0g7s1pjL7lsg4sc3vN41r6v
> +1i0ucO28tfGhM13QxqNfR1RqUZ3W40dlWz2Lum6NvudbkGZaY+Jzph4BT9RW1n2
> 80ruiuamYF3escBnWvssSdIjwl2ibwsKFzzjyrvArdcZpnI6pwGFWPKLbN4pGyoz
> WSi+Ow067aqeSJVonW98AlxF4udVTrQJQi1wmhiW0jOE+7zk1rAwkVUgLlWCDJLB
> dVnopSr/FN2ewTkkJrAfBSfqQBGe7XNrnYCzefdBv7JgAARzkPc1jJzdC8oy3AIL
> TiyDVo6O/fi4j4pd01TVUc8Yh7kGilDdk7BPyptH4KPrGG8yS8SmLY2WSoR3gpa8
> iBvw6o9X0HuXFo9IGrSBsd6LUt/+dYkqOH4JN2dxj9rxKlqv+4zlGHqM8mP/xGaw
> 4tCy7ekDTpEEQNSSzZDLtrDtaYbtHztC2EQ+fUp8iTmh1OKayWPGHNj/+unChR+q
> 0QqQt483QarClETgwUtVQCwqUBT90nS0RFvG5FKCAGRurfWXR0b0jXtQPmECZj6k
> wlJinmq4yAPfHVEjm1/5pGANAcihuLUxVdvpw8ZbsAJRSg2wEvxSCILb4Av+OaxF
> o5q0Nlekcn3FxKNz4hpr+ra5CWy7i/KDhjAuH6rarNMWA2sDLOM18TjyL9Pax0xy
> etw4zEaMsg3o2WgpI6qS
> =huG5
> -----END PGP SIGNATURE-----
> --
> [ Security | https://lists.drupal.org/mailman/listinfo/security ]
> [Security team mailing list management and scheduling is documented here |
> https://security.drupal.org/handling-list-emails]
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ