News Block
SA-CORE-2012-001 - Drupal core multiple vulnerabilities
- Advisory ID: DRUPAL-SA-CORE-2012-001
- Project: Drupal core
- Version: 6.x, 7.x
- Date: 2012-February-01
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Access bypass, Cross Site Request Forgery, Multiple vulnerabilities
CVE: CVE-2012-0826
An XSRF vulnerability can force an aggregator feed to update. Since some services are rate-limited (e.g. Twitter limits requests to 150 per hour) this could lead to a denial of service.
This issue affects Drupal 6.x and 7.x.
OpenID not verifying signed attributes in SREG and AXCVE: CVE-2012-0825
A group of security researchers identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX). Not verifying that attributes being passed through AX have been signed could allow an attacker to modify users' information.
This issue affects Drupal 6.x and 7.x.
Access bypass in File moduleCVE: CVE-2012-0827
When using private files in combination with certain field access modules, the File module will allow users to download the file even if they do not have access to view the field it was attached to.
This issue affects Drupal 7.x only.
Versions affected- Drupal 6.x core prior to 6.23.
- Drupal 7.x core prior to 7.11.
Install the latest version:
See also the Drupal core project page.
Reported by- The Aggregator module CSRF vulnerability was reported by Dylan Tack of the Drupal Security Team.
- The OpenID vulnerability was reported by Rui Wang, Shuo Chen and Xiao Feng Wang.
- The File module access bypass issue was reported by David Rothstein of the Drupal Security Team, and by Sascha Grossenbacher.
- Aggregator CSRF issue fixed by Dave Reid of the Drupal Security Team
- OpenID issue fixed by Vojtech Kusy and Christian Schmidt
- The File module access bypass issue was fixed by David Rothstein of the Drupal Security Team, Sascha Grossenbacher, and Derek Wright of the Drupal Security Team.
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
SA-CORE-2012-001 - Drupal core multiple vulnerabilities
- Advisory ID: DRUPAL-SA-CORE-2012-001
- Project: Drupal core
- Version: 6.x, 7.x
- Date: 2012-February-01
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Access bypass, Cross Site Request Forgery, Multiple vulnerabilities
CVE: CVE-2012-0826
An XSRF vulnerability can force an aggregator feed to update. Since some services are rate-limited (e.g. Twitter limits requests to 150 per hour) this could lead to a denial of service.
This issue affects Drupal 6.x and 7.x.
OpenID not verifying signed attributes in SREG and AXCVE: CVE-2012-0825
A group of security researchers identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX). Not verifying that attributes being passed through AX have been signed could allow an attacker to modify users' information.
This issue affects Drupal 6.x and 7.x.
Access bypass in File moduleCVE: CVE-2012-0827
When using private files in combination with certain field access modules, the File module will allow users to download the file even if they do not have access to view the field it was attached to.
This issue affects Drupal 7.x only.
Versions affected- Drupal 6.x core prior to 6.23.
- Drupal 7.x core prior to 7.11.
Install the latest version:
See also the Drupal core project page.
Reported by- The Aggregator module CSRF vulnerability was reported by Dylan Tack of the Drupal Security Team.
- The OpenID vulnerability was reported by Rui Wang, Shuo Chen and Xiao Feng Wang.
- The File module access bypass issue was reported by David Rothstein of the Drupal Security Team, and by Sascha Grossenbacher.
- Aggregator CSRF issue fixed by Dave Reid of the Drupal Security Team
- OpenID issue fixed by Vojtech Kusy and Christian Schmidt
- The File module access bypass issue was fixed by David Rothstein of the Drupal Security Team, Sascha Grossenbacher, and Derek Wright of the Drupal Security Team.
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Drupal 6.12
Drupal 6.12 and 5.18, maintenance releases fixing problems reported using the bug tracking system, as well as a critical security vulnerability, are now available for download. Drupal 6.12 also fixes "account page opens automatically after login" among other smaller issues.
Upgrading your existing Drupal 5 and 6 sites is strongly recommended.
For more info see Drupal 6.12 and 5.18 released, SA-CORE-2009-006 - Drupal core - Cross site scripting and Upgrade Drupal to 6.12.
Drupal 6.11
Drupal 6.11 and 5.17, maintenance releases fixing problems reported using the bug tracking system, as well as a critical security vulnerability, are now available for download. Drupal 6.11 also fixes performance issues with the menu cache and update status cache among other smaller issues.
Upgrading your existing Drupal 5 and 6 sites is strongly recommended.
For more info see Drupal 6.11 and 5.17 released, SA-CORE-2009-005 - Drupal core - Cross site scripting and Upgrade Drupal to 6.11.
BobbyMods Drupal 6.x Upgrade Project
Here you can find all 'loose' Drupal 6.x core upgrade projects.
If your project is maintained by BobbyMods.com then your upgrade will be found at your project.
This project is only for CORE upgrades that do not fall within a regular project.
If you need to also update modules and themes (or the need to do so arises during the update), that will be a separate project.
Pending
| Title | Issue Status | Priority | Category | Version | Component | Changed |
|---|
