Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 4 Apr 2016 06:50:34 -0500
From: David Snopek <dsnopek@...il.com>
To: cve-assign@...re.org
Cc: Security Team <security@...pal.org>, oss-security@...ts.openwall.com
Subject: Re: [security] CVE requests for Drupal contributed modules (from
 2016-009 to 2016-014)

Hi,

Just as an FYI, there is a small team of vendors who are carrying on
Long-Term Support of Drupal 6 and some of its contrib modules:

http://drupal.org/project/d6lts

This affects one of the security issues you mentioned, in that the LTS
vendors ported the fix to the Drupal 6 version of Prepopulate and made an
unofficial release that contains it:

https://github.com/d6lts/prepopulate/releases/tag/6.x-2.3

I'm not sure if this matters to you, as these are completely unofficial
releases done by a group that isn't the same as the Drupal Security Team or
the upstream maintainers, but the ported patches and releases are (and will
be) publicly available. If you'd like, we can let you know about future
releases? Or if not. please feel free to ignore this note. :-)

Thanks,
David.

2016-03-17 10:23 GMT-05:00 <cve-assign@...re.org>:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> > Prepopulate - Access Bypass - SA-CONTRIB-2016-009
> > https://www.drupal.org/node/2679503
>
> >> The Prepopulate module does not adequately prevent a user from
> >> overwriting arbitrary parts of $_REQUEST. It also does not prevent
> >> pre-populating certain fields that are not displayed or manipulating
> >> markup fields to alter elements of the user interface.
>
> >> Versions affected
>
> >>    Prepopulate 7.x-2.x versions prior to 7.x-2.1.
>
> >>>
> http://cgit.drupalcode.org/prepopulate/commit/prepopulate.module?id=16cdb63cc3b256dd785e029ec17f92ddf80cc443
>
> Use CVE-2016-3187 for the issue associated with deleting the
> "parse_str(base64_decode($_REQUEST['pp']), $_REQUEST);" lines, and use
> CVE-2016-3188 for the issue associated with changing the value of
> $limited_types. (The 16cdb63cc3b256dd785e029ec17f92ddf80cc443 commit
> message does not seem closely related to the
> 16cdb63cc3b256dd785e029ec17f92ddf80cc443 code changes.)
>
> Our understanding is that the Prepopulate module was packaged in, for
> example, Fedora 23. The prepopulate-6.x-2.2.tar.gz file shipped in
> drupal6-prepopulate-2.2-4.fc23.src.rpm apparently does not have the
> 16cdb63cc3b256dd785e029ec17f92ddf80cc443 changes. Thus, we feel that
> the best available information is that CVE-2016-3187 and CVE-2016-3188
> affects or affected, at least, Fedora 23.
>
> (For example, see the
>
> http://fedora.mirror.lstn.net/releases/23/Everything/source/SRPMS/d/drupal6-prepopulate-2.2-4.fc23.src.rpm
> package file.)
>
> (We understand that Drupal 6 end-of-life was last month according to
> the https://www.drupal.org/drupal-6-eol post. We also understand that
>
> http://pkgs.fedoraproject.org/cgit/rpms/drupal6-prepopulate.git/commit?id=d77963c300289b6be29b5dc08d0662fc698068f4
> exists. However, drupal6-prepopulate-2.2-4.fc23 may still be in use on
> many Fedora 23 systems.)
>
> We may be sending a separate reply about the USASearch, Google
> Analytics Counter, Hubspot CTA, Node Notify, and Fieldable Panels
> Panes issues.
>
> - --
> CVE Assignment Team
> M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
> [ A PGP key is available for encrypted communications at
>   http://cve.mitre.org/cve/request_id.html ]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQIcBAEBCAAGBQJW6srrAAoJEL54rhJi8gl5J/4P/0g7s1pjL7lsg4sc3vN41r6v
> +1i0ucO28tfGhM13QxqNfR1RqUZ3W40dlWz2Lum6NvudbkGZaY+Jzph4BT9RW1n2
> 80ruiuamYF3escBnWvssSdIjwl2ibwsKFzzjyrvArdcZpnI6pwGFWPKLbN4pGyoz
> WSi+Ow067aqeSJVonW98AlxF4udVTrQJQi1wmhiW0jOE+7zk1rAwkVUgLlWCDJLB
> dVnopSr/FN2ewTkkJrAfBSfqQBGe7XNrnYCzefdBv7JgAARzkPc1jJzdC8oy3AIL
> TiyDVo6O/fi4j4pd01TVUc8Yh7kGilDdk7BPyptH4KPrGG8yS8SmLY2WSoR3gpa8
> iBvw6o9X0HuXFo9IGrSBsd6LUt/+dYkqOH4JN2dxj9rxKlqv+4zlGHqM8mP/xGaw
> 4tCy7ekDTpEEQNSSzZDLtrDtaYbtHztC2EQ+fUp8iTmh1OKayWPGHNj/+unChR+q
> 0QqQt483QarClETgwUtVQCwqUBT90nS0RFvG5FKCAGRurfWXR0b0jXtQPmECZj6k
> wlJinmq4yAPfHVEjm1/5pGANAcihuLUxVdvpw8ZbsAJRSg2wEvxSCILb4Av+OaxF
> o5q0Nlekcn3FxKNz4hpr+ra5CWy7i/KDhjAuH6rarNMWA2sDLOM18TjyL9Pax0xy
> etw4zEaMsg3o2WgpI6qS
> =huG5
> -----END PGP SIGNATURE-----
> --
> [ Security | https://lists.drupal.org/mailman/listinfo/security ]
> [Security team mailing list management and scheduling is documented here |
> https://security.drupal.org/handling-list-emails]
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.