Date: Mon, 4 Apr 2016 06:50:34 -0500 From: David Snopek <dsnopek@...il.com> To: cve-assign@...re.org Cc: Security Team <security@...pal.org>, oss-security@...ts.openwall.com Subject: Re: [security] CVE requests for Drupal contributed modules (from 2016-009 to 2016-014) Hi, Just as an FYI, there is a small team of vendors who are carrying on Long-Term Support of Drupal 6 and some of its contrib modules: http://drupal.org/project/d6lts This affects one of the security issues you mentioned, in that the LTS vendors ported the fix to the Drupal 6 version of Prepopulate and made an unofficial release that contains it: https://github.com/d6lts/prepopulate/releases/tag/6.x-2.3 I'm not sure if this matters to you, as these are completely unofficial releases done by a group that isn't the same as the Drupal Security Team or the upstream maintainers, but the ported patches and releases are (and will be) publicly available. If you'd like, we can let you know about future releases? Or if not. please feel free to ignore this note. :-) Thanks, David. 2016-03-17 10:23 GMT-05:00 <cve-assign@...re.org>: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > > Prepopulate - Access Bypass - SA-CONTRIB-2016-009 > > https://www.drupal.org/node/2679503 > > >> The Prepopulate module does not adequately prevent a user from > >> overwriting arbitrary parts of $_REQUEST. It also does not prevent > >> pre-populating certain fields that are not displayed or manipulating > >> markup fields to alter elements of the user interface. > > >> Versions affected > > >> Prepopulate 7.x-2.x versions prior to 7.x-2.1. > > >>> > http://cgit.drupalcode.org/prepopulate/commit/prepopulate.module?id=16cdb63cc3b256dd785e029ec17f92ddf80cc443 > > Use CVE-2016-3187 for the issue associated with deleting the > "parse_str(base64_decode($_REQUEST['pp']), $_REQUEST);" lines, and use > CVE-2016-3188 for the issue associated with changing the value of > $limited_types. (The 16cdb63cc3b256dd785e029ec17f92ddf80cc443 commit > message does not seem closely related to the > 16cdb63cc3b256dd785e029ec17f92ddf80cc443 code changes.) > > Our understanding is that the Prepopulate module was packaged in, for > example, Fedora 23. The prepopulate-6.x-2.2.tar.gz file shipped in > drupal6-prepopulate-2.2-4.fc23.src.rpm apparently does not have the > 16cdb63cc3b256dd785e029ec17f92ddf80cc443 changes. Thus, we feel that > the best available information is that CVE-2016-3187 and CVE-2016-3188 > affects or affected, at least, Fedora 23. > > (For example, see the > > http://fedora.mirror.lstn.net/releases/23/Everything/source/SRPMS/d/drupal6-prepopulate-2.2-4.fc23.src.rpm > package file.) > > (We understand that Drupal 6 end-of-life was last month according to > the https://www.drupal.org/drupal-6-eol post. We also understand that > > http://pkgs.fedoraproject.org/cgit/rpms/drupal6-prepopulate.git/commit?id=d77963c300289b6be29b5dc08d0662fc698068f4 > exists. However, drupal6-prepopulate-2.2-4.fc23 may still be in use on > many Fedora 23 systems.) > > We may be sending a separate reply about the USASearch, Google > Analytics Counter, Hubspot CTA, Node Notify, and Fieldable Panels > Panes issues. > > - -- > CVE Assignment Team > M/S M300, 202 Burlington Road, Bedford, MA 01730 USA > [ A PGP key is available for encrypted communications at > http://cve.mitre.org/cve/request_id.html ] > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQIcBAEBCAAGBQJW6srrAAoJEL54rhJi8gl5J/4P/0g7s1pjL7lsg4sc3vN41r6v > +1i0ucO28tfGhM13QxqNfR1RqUZ3W40dlWz2Lum6NvudbkGZaY+Jzph4BT9RW1n2 > 80ruiuamYF3escBnWvssSdIjwl2ibwsKFzzjyrvArdcZpnI6pwGFWPKLbN4pGyoz > WSi+Ow067aqeSJVonW98AlxF4udVTrQJQi1wmhiW0jOE+7zk1rAwkVUgLlWCDJLB > dVnopSr/FN2ewTkkJrAfBSfqQBGe7XNrnYCzefdBv7JgAARzkPc1jJzdC8oy3AIL > TiyDVo6O/fi4j4pd01TVUc8Yh7kGilDdk7BPyptH4KPrGG8yS8SmLY2WSoR3gpa8 > iBvw6o9X0HuXFo9IGrSBsd6LUt/+dYkqOH4JN2dxj9rxKlqv+4zlGHqM8mP/xGaw > 4tCy7ekDTpEEQNSSzZDLtrDtaYbtHztC2EQ+fUp8iTmh1OKayWPGHNj/+unChR+q > 0QqQt483QarClETgwUtVQCwqUBT90nS0RFvG5FKCAGRurfWXR0b0jXtQPmECZj6k > wlJinmq4yAPfHVEjm1/5pGANAcihuLUxVdvpw8ZbsAJRSg2wEvxSCILb4Av+OaxF > o5q0Nlekcn3FxKNz4hpr+ra5CWy7i/KDhjAuH6rarNMWA2sDLOM18TjyL9Pax0xy > etw4zEaMsg3o2WgpI6qS > =huG5 > -----END PGP SIGNATURE----- > -- > [ Security | https://lists.drupal.org/mailman/listinfo/security ] > [Security team mailing list management and scheduling is documented here | > https://security.drupal.org/handling-list-emails] >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ