Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 20 Nov 2012 13:35:32 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Forest Monsen <forest.monsen@...il.com>
Subject: Re: CVE Request for Drupal Contributed Modules

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/17/2012 10:29 PM, Forest Monsen wrote:
> Hello!
> 
> Here's a batch CVE request for a number of previously published
> and resolved issues with contributed modules for the Drupal
> project. As noted in
> http://www.openwall.com/lists/oss-security/2012/11/05/4, I have
> volunteered to coordinate our CVE requests.
> 
> Forest Monsen, on behalf of the Drupal Security Team

Please see bottom of email for CVEs

> - SA-CONTRIB-2012-146 - Simplenews Scheduler - Arbitrary code
> execution http://drupal.org/node/1789284
> 
> - SA-CONTRIB-2012-147 - FileField Sources - Cross Site Scripting
> (XSS) http://drupal.org/node/1789306
> 
> - SA-CONTRIB-2012-148 - Organic Groups - Access Bypass 
> http://drupal.org/node/1796036
> 
> - SA-CONTRIB-2012-149 - Hostip - Cross Site Scripting (XSS) 
> http://drupal.org/node/1802218
> 
> - SA-CONTRIB-2012-150 - Twitter Pull - Cross Site Scripting (XSS) 
> http://drupal.org/node/1802230
> 
> - SA-CONTRIB-2012-151 - Commerce Extra Panes - Cross Site Request 
> Forgery http://drupal.org/node/1802258
> 
> - SA-CONTRIB-2012-152 - Feeds - Access bypass 
> http://drupal.org/node/1808832
> 
> - SA-CONTRIB-2012-153 - Mandrill - Information Disclosure 
> http://drupal.org/node/1808846
> 
> - SA-CONTRIB-2012-154 - Basic webmail - Cross Site Scripting 
> http://drupal.org/node/1808852
> 
> - SA-CONTRIB-2012-154 - Basic webmail - Information Disclosure 
> http://drupal.org/node/1808852
> 
> - SA-CONTRIB-2012-155 - ShareThis - Cross Site Scripting (XSS) 
> http://drupal.org/node/1808856
> 
> - SA-CONTRIB-2012-156 - Search API - Cross Site Request Forgery
> (CSRF) http://drupal.org/node/1815770
> 
> - SA-CONTRIB-2012-157 - Time Spent - Cross Site Scripting (XSS) 
> http://drupal.org/node/1822066
> 
> - SA-CONTRIB-2012-157 - Time Spent - Cross Site Request Forgery
> (CSRF) http://drupal.org/node/1822066
> 
> - SA-CONTRIB-2012-157 - Time Spent - SQL Injection 
> http://drupal.org/node/1822066
> 
> - SA-CONTRIB-2012-158 - MailChimp - Cross Site Scripting (XSS) 
> http://drupal.org/node/1822166
> 
> - SA-CONTRIB-2012-159 - Password policy - Information disclosure 
> http://drupal.org/node/1828340
> 
> - SA-CONTRIB-2012-160 - OM Maximenu - Cross Site Scripting (XSS) 
> http://drupal.org/node/1834866
> 
> - SA-CONTRIB-2012-161 - Webform CiviCRM Integration - Access
> Bypass http://drupal.org/node/1834868
> 
> - SA-CONTRIB-2012-162 - RESTful Web Services - Cross site request 
> forgery (CSRF) http://drupal.org/node/1840740
> 
> - SA-CONTRIB-2012-163 - User Read-Only - Permission escalation 
> http://drupal.org/node/1840886
> 
> - SA-CONTRIB-2012-164 - Smiley module and Smileys module - Cross
> Site Scripting (XSS) http://drupal.org/node/1840892
> 
> - SA-CONTRIB-2012-165 - Chaos tool suite (ctools) - Cross Site 
> Scripting (XSS) http://drupal.org/node/1840992

Please use the following:

CVE-2012-5537 Drupal SA-CONTRIB-2012-146
CVE-2012-5538 Drupal SA-CONTRIB-2012-147
CVE-2012-5539 Drupal SA-CONTRIB-2012-148
CVE-2012-5540 Drupal SA-CONTRIB-2012-149
CVE-2012-5541 Drupal SA-CONTRIB-2012-150
CVE-2012-5542 Drupal SA-CONTRIB-2012-151
CVE-2012-5543 Drupal SA-CONTRIB-2012-152
CVE-2012-5544 Drupal SA-CONTRIB-2012-153
CVE-2012-5545 Drupal SA-CONTRIB-2012-155 XSS
CVE-2012-5546 Drupal SA-CONTRIB-2012-155 Information Disclosure
CVE-2012-5547 Drupal SA-CONTRIB-2012-156
CVE-2012-5548 Drupal SA-CONTRIB-2012-157 XSS
CVE-2012-5549 Drupal SA-CONTRIB-2012-157 CSRF
CVE-2012-5550 Drupal SA-CONTRIB-2012-157 SQL Injection
CVE-2012-5551 Drupal SA-CONTRIB-2012-158
CVE-2012-5552 Drupal SA-CONTRIB-2012-159
CVE-2012-5553 Drupal SA-CONTRIB-2012-160
CVE-2012-5554 Drupal SA-CONTRIB-2012-161
CVE-2012-5556 Drupal SA-CONTRIB-2012-162
CVE-2012-5557 Drupal SA-CONTRIB-2012-163
CVE-2012-5558 Drupal SA-CONTRIB-2012-164
CVE-2012-5559 Drupal SA-CONTRIB-2012-165

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQq+mUAAoJEBYNRVNeJnmTMTwP/0aGGaza6YomFJs55tOYR0Ro
IbaqollVILrYeXOnAg9mVkeGAUJWkx1VNJh6K/SIhAWZF1Diy4evBuT+FwHjq5uy
rKwARLQ8BS62qnxLfSX/cXwQpCxk1jzbV9voiqKJkcsNxPz+1bfQxcD+qIocOCrg
zn4+RAtEdOeHCd0rL+nEnt2pQTk3EeSx7paGC6JhMtiFksXY06QdgKYZac3AbPII
MsysTKPJso3RfDHJc7i0v4fiTUn7HgzIU8UUPdkhPdMJ2Y/HXxdxJnzRhgnNlNkp
XZWc9ifLxHGlZlDBDspMjcpgX/4B90akeq2gtCKxZXlYZO31VOAv8eE2w9xKhOB6
v/0O6D+iT+4mThNjcSaQy1+3WVXyO2pG8zh/kMXWsWF0ZjSPgxQtuLzSpCFkDeu5
iDVmrKT6cquuC6ae8O2FAk9mhlSftE4noS5yNETzm5i2130YUM2KcabXjzJsutHo
lhFppm5pLXUrhsf4ukW1dF1AuMqSER7+NZLJ4APOuctkAdLz5C/jRjlx3k9OzCM5
M/xcKQmgXLlvc5+LS6oqxgv9UL60DNpNrigfuqeMhSqQXKxhT0XJ8K4EW7lc/pJE
gMODwy7LswyzwtQuZWkh0vMCqMoWDfL/8GdWxoEDrz2pTDYAwr0YsqV38+iwF+CC
+ueqh5siyTISyiGn30hy
=9r93
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.