drupal7: CVE-2019-11358: XSS in bundled library (jquery)

Debian Bug report logs - #927330
drupal7: CVE-2019-11358: XSS in bundled library (jquery)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Gunnar Wolf <gwolf@gwolf.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: drupal7: XSS in bundled library (jquery)

Date: Thu, 18 Apr 2019 00:01:47 -0500

[Message part 1 (text/plain, inline)]

Package: drupal7
Version: 7.52-2+deb9u7
Severity: normal
Tags: security patch upstream

FWIW, report copied over from the Drupal advisory,
https://www.drupal.org/SA-CORE-2019-006

The jQuery project released version 3.4.0, and as part of that,
disclosed a security vulnerability that affects all prior versions. As
described in their release notes:

    jQuery 3.4.0 includes a fix for some unintended behavior when
    using jQuery.extend(true, {}, ...). If an unsanitized source
    object contained an enumerable __proto__ property, it could extend
    the native Object.prototype. This fix is included in jQuery 3.4.0,
    but patch diffs exist to patch previous jQuery versions.

It's possible that this vulnerability is exploitable with some Drupal
modules. As a precaution, this Drupal security release backports the
fix to jQuery.extend(), without making any other changes to the jQuery
version that is included in Drupal core (3.2.1 for Drupal 8 and 1.4.4
for Drupal 7) or running on the site via some other module such as
jQuery Update.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.18.0-1-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

[drupal.diff (text/plain, attachment)]

Message #10 received at 927330@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 927385@bugs.debian.org, 927330@bugs.debian.org, yadd@debian.org, gwolf@debian.org

Subject: Re: Bug#927385: jquery: Prototype Pollution vulnerability

Date: Sat, 20 Apr 2019 08:03:08 +0200

Control: retitle 927385 jquery: CVE-2019-11358: Prototype Pollution vulnerability
Control: retitle 927330 drupal7: CVE-2019-11358: XSS in bundled library (jquery)

Hi

CVE-2019-11358 was assigned for the jquery issue (and to be used as
well for drupal).

Regards,
Salvatore

Message #17 received at 927330-close@bugs.debian.org (full text, mbox, reply):

From: Gunnar Wolf <gwolf@debian.org>

To: 927330-close@bugs.debian.org

Subject: Bug#927330: fixed in drupal7 7.52-2+deb9u8

Date: Sat, 20 Apr 2019 22:17:08 +0000

Source: drupal7
Source-Version: 7.52-2+deb9u8

We believe that the bug you reported is fixed in the latest version of
drupal7, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 927330@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gunnar Wolf <gwolf@debian.org> (supplier of updated drupal7 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 18 Apr 2019 00:03:42 -0500
Source: drupal7
Binary: drupal7
Architecture: source all
Version: 7.52-2+deb9u8
Distribution: stretch-security
Urgency: high
Maintainer: Gunnar Wolf <gwolf@debian.org>
Changed-By: Gunnar Wolf <gwolf@debian.org>
Description:
 drupal7    - fully-featured content management framework
Closes: 927330
Changes:
 drupal7 (7.52-2+deb9u8) stretch-security; urgency=high
 .
   * SA-CORE-2019-006: Fix XSS vulnerability (Closes: #927330)
Checksums-Sha1:
 fde9b3dafbb3c3af360aba9ef59392e0a6901b28 1877 drupal7_7.52-2+deb9u8.dsc
 21794ee8fb211fe7b4289b52bb3d25fc5222170f 208428 drupal7_7.52-2+deb9u8.debian.tar.xz
 2be02b39953c740658dacf61813670964dc01f21 2528224 drupal7_7.52-2+deb9u8_all.deb
 c7156cff839a84d5e7c2a39de91819b5fccd4e5e 9076 drupal7_7.52-2+deb9u8_amd64.buildinfo
Checksums-Sha256:
 dd6402e9d7c3eb95a170dcbeed962f6d044a80836d578848c6db0239d0f214c1 1877 drupal7_7.52-2+deb9u8.dsc
 02b76f588fe2491f66d98717e14a4405af2d1a3ba2bb486b303a89ea8e43033c 208428 drupal7_7.52-2+deb9u8.debian.tar.xz
 6868d9d9db00ac8301afdd38c60d30d21d71e3c2ddc5baf238665898a7ea15d5 2528224 drupal7_7.52-2+deb9u8_all.deb
 68230efddc929ff81db5e0b0fcd9bfd62b6a92d95a07125ce1c2cb53c2045b19 9076 drupal7_7.52-2+deb9u8_amd64.buildinfo
Files:
 88d5e10521ff37f24e6193790c4ee76f 1877 web extra drupal7_7.52-2+deb9u8.dsc
 0854b7b20e4926ed7ab3c92b5412c70a 208428 web extra drupal7_7.52-2+deb9u8.debian.tar.xz
 848b9de9b353ee2e9e1d9c41f16e0555 2528224 web extra drupal7_7.52-2+deb9u8_all.deb
 f6719786a36e87f1bfc1a428a2509d8c 9076 web extra drupal7_7.52-2+deb9u8_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEfHleU5lojd9m99YgSd0qTkl5YZwFAly4BzYACgkQSd0qTkl5
YZytZw/8COLauZr9r9ygidmJgoiUAX3IAOUokZT+MzefmbSZTnaVT64ExiIdY+ey
jxQWgJ/O6yWN8bbiF19mHZ7HeNb7YYNG+C3r1pN4ERYi2IPA234CQH90a78+J5uQ
QrpYxJbrQ+avp8BaXDp80gQU/pYpbXHjTXC7ZkpB2131uyH7AA+oUCxo8pFxFkpU
VZMyGhrtk0wyVtlf1LZQDgIKZC6hE8IoMu+tlpaDHjD89YRANge0IRHrl/0N7F73
F8fjaaIAtkLP6sYm2qhgyHgfWvOErhNN8PWJ1o8ZvNlXdGdomiDxArypgdSy2hF8
sKMzLVSnlfiHtpDQC8+6Eabn5+mB9JUUpRdaMkSMr7z+RrfFDnQsTDdMzPhbvdTC
SZQ2iwhnxGtzsVlFgyq4HUxm5IVUc4llwe6E42g7RUY/Lxe8Yp/SxeqMS5lztzAH
oiHCBe0yM53PKPrsp6qwVyrPSJACt76Y5UiJngnvte+kO/jDaqnVilZ6GQw9lZJO
hcNURkCsL0ZBGBQQEtlnOOyH2ft49ny6wGAkPJre7vv7q6bBY1j00Z8ovFEs9xWX
N7A35KnnjQgZuraxorLKgWU+JSDB0kWZ5NuLgVvQ93OLVsdiz1sgmhm0PD5DBLz2
sZ+E3d5b5t7TFY7V2vV+T8rUch6EG7j9xUdXPIQnQe7prB00ErI=
=gq5q
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.