drupal7: CVE-2017-6928: SA-CORE-2018-001: Private file access bypass

Debian Bug report logs - #891152
drupal7: CVE-2017-6928: SA-CORE-2018-001: Private file access bypass

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: drupal7: SA-CORE-2018-001: Several vulnerabilities

Date: Thu, 22 Feb 2018 20:46:30 +0100

Source: drupal7
Version: 7.56-1
Severity: grave
Tags: security upstream

Hi

There was a new Drupal security advisory at

https://www.drupal.org/sa-core-2018-001

where several issues affect as well drupal7.

 * JavaScript cross-site scripting prevention is incomplete - Critical -
   Drupal 7 and Drupal 8
 * Private file access bypass - Moderately Critical - Drupal 7
 * jQuery vulnerability with untrusted domains - Moderately Critical
   - Drupal 7
 * External link injection on 404 pages when linking to the current page
   - Less Critical - Drupal 7

and fixed with 7.57 (others are affecting only Drupal 8, which is not
going to be packaged in Debian).

Regards,
Salvatore

Message #10 received at 891150@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 891150@bugs.debian.org

Subject: Re: Bug#891150: drupal7: SA-CORE-2018-001: Several vulnerabilities

Date: Thu, 22 Feb 2018 20:55:46 +0100

Control: clone -1 -2 -3 -4
Control: retitle -1 drupal7: SA-CORE-2018-001: JavaScript cross-site scripting prevention is incomplete
Control: retitle -2 drupal7: SA-CORE-2018-001: Private file access bypass
Control: retitle -3 drupal7: SA-CORE-2018-001: jQuery vulnerability with untrusted domains
Control: retitle -4 drupal7: SA-CORE-2018-001: External link injection on 404 pages when linking to the current page

Hi

On Thu, Feb 22, 2018 at 08:46:30PM +0100, Salvatore Bonaccorso wrote:
> Source: drupal7
> Version: 7.56-1
> Severity: grave
> Tags: security upstream
> 
> Hi
> 
> There was a new Drupal security advisory at
> 
> https://www.drupal.org/sa-core-2018-001
> 
> where several issues affect as well drupal7.
> 
>  * JavaScript cross-site scripting prevention is incomplete - Critical -
>    Drupal 7 and Drupal 8
>  * Private file access bypass - Moderately Critical - Drupal 7
>  * jQuery vulnerability with untrusted domains - Moderately Critical
>    - Drupal 7
>  * External link injection on 404 pages when linking to the current page
>    - Less Critical - Drupal 7

Let's split this up actually in the individual issues affecting Drupal
7 since there are no CVE yet available to identify the issues.

Regards,
Salvatore

Message #19 received at 891152-close@bugs.debian.org (full text, mbox, reply):

From: Gunnar Wolf <gwolf@debian.org>

To: 891152-close@bugs.debian.org

Subject: Bug#891152: fixed in drupal7 7.57-1

Date: Fri, 23 Feb 2018 20:51:25 +0000

Source: drupal7
Source-Version: 7.57-1

We believe that the bug you reported is fixed in the latest version of
drupal7, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 891152@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gunnar Wolf <gwolf@debian.org> (supplier of updated drupal7 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 23 Feb 2018 13:37:09 -0600
Source: drupal7
Binary: drupal7
Architecture: source all
Version: 7.57-1
Distribution: unstable
Urgency: high
Maintainer: Gunnar Wolf <gwolf@debian.org>
Changed-By: Gunnar Wolf <gwolf@debian.org>
Description:
 drupal7    - fully-featured content management framework
Closes: 891150 891152 891153 891154
Changes:
 drupal7 (7.57-1) unstable; urgency=high
 .
   * New upstream release
   * Fixes multiple security vulnerabilities, grouped under Drupal's
     SA-CORE-2018-001 (CVEs yet unassigned):
     - External link injection on 404 pages when linking to the current
       page (Closes: #891154)
     - jQuery vulnerability with untrusted domains (Closes: #891153)
     - Private file access bypass (Closes: #891152)
     - JavaScript cross-site scripting prevention is incomplete (Closes:
       #891150)
   * Uncruft: Remove an unused .dpatch file still from the drupal6 era(!)
   * Bump up standards-version to current policy (4.1.3.0)
     - Move from Priority: extra to Priority: optional
Checksums-Sha1:
 0bcd900daffff299b17059356c94278916987249 1881 drupal7_7.57-1.dsc
 0e11212a07c87f10706b80cbf19db18925791a49 3279405 drupal7_7.57.orig.tar.gz
 da525361ab1e539ae1b0f11d7ed0e8ff278f2005 187672 drupal7_7.57-1.debian.tar.xz
 88353ce704092b8b55a227c5365c387d50420060 2522040 drupal7_7.57-1_all.deb
 17e1e0943c4247ee3fc3f422bb500cff31e990ff 8525 drupal7_7.57-1_amd64.buildinfo
Checksums-Sha256:
 d20e95ef2b4ee9acc371a800c354092f07ea00939316eab5f53efc9166a18a9d 1881 drupal7_7.57-1.dsc
 c3bc1173d7830941fa9ee6061d555fec334bd6834d2fc5c870f3aef1fbf667e2 3279405 drupal7_7.57.orig.tar.gz
 165bd1bccc78ce131637338f4581d9c61c0c612a8f72282904d3af3026681f0a 187672 drupal7_7.57-1.debian.tar.xz
 abcc665c3f312adde572a778ecbabfc3f265673fd9b1c2bd068b7c708a7f74a6 2522040 drupal7_7.57-1_all.deb
 38b8552844f54d86daec47fa59360b0e25375eaca175cb3060ecf9472537c192 8525 drupal7_7.57-1_amd64.buildinfo
Files:
 b03b351c50f06d6765b5d54f03dd290c 1881 web optional drupal7_7.57-1.dsc
 44dec95a0ef56c4786785f575ac59a60 3279405 web optional drupal7_7.57.orig.tar.gz
 959a8236637c8a36b1536f1985e45c7d 187672 web optional drupal7_7.57-1.debian.tar.xz
 33278b3d6a14a99b4b226d7e48739477 2522040 web optional drupal7_7.57-1_all.deb
 6651b3ca66fc3dff98bd670a0c1ae75e 8525 web optional drupal7_7.57-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIyBAEBCAAdFiEEq0HBxor9ZoygRev4ZzoD5MHbkh8FAlqQcHUACgkQZzoD5MHb
kh/rAw/449Axo2wmdaWZEvZemUcmNRlQSt3pfsTxARHGIio49NmzeidKpbnl9cMu
I2sqNDegKgKL5WF+oL+5hkDqstnT8ko9Pfw+eR/RPU9pqkbamnItToGaQvNvCFth
vHpG4wnYdN/PEa6YoUbqfVlGlXcqRRuO6PE1a86CbK5KBSZEsFVBZwsDhDsI+6hr
V6uWC2FAmKVXxhZuTvCE1s3tHPOhKkFg2VellXnuMg5WGEOy3fh8ACdGZo3l2L7X
NjDBrB3m0cIcmipgRaTMeaP/VEN+FWSW4dMsnNUT04zeh0KKxX/8+CO/Z6PaE6Jw
bmRf6IItL+WPj6wH2KHZ4EMGjYTstPN/guYhRFaKClJYw7uGBc0RCHcjX8Sg/GKu
LDbKroNPxBDbJiH4fuFlRXpJxnaFstBO2oOELYLiDXQaeYuotGUktU4zJFRtOIrp
dbV/PyNL562pKV7KrG0hOipA6hiAUMYggJ4+kA/Y3Nibhv7JeCSA8HjlqOH2MOK+
pINFXN7vGoWGx+39l27a/z7IbIc12jSgZB6vHn6I8l2sU2eXBr1x+me4EuGgijwY
Jj1yLgIdScbq/3o2Zt95FN6LRsp5n1+jT0On0EWLdzZcYzhmxKkr4wfUMQIkh/n7
bL49b70Q2Jy4i0dhcHz/RWAUQWOIVrVaj/6zEgP07cJrxS1sOA==
=p3By
-----END PGP SIGNATURE-----

Message #28 received at 891152-close@bugs.debian.org (full text, mbox, reply):

From: Gunnar Wolf <gwolf@debian.org>

To: 891152-close@bugs.debian.org

Subject: Bug#891152: fixed in drupal7 7.52-2+deb9u2

Date: Sun, 25 Feb 2018 15:02:09 +0000

Source: drupal7
Source-Version: 7.52-2+deb9u2

We believe that the bug you reported is fixed in the latest version of
drupal7, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 891152@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gunnar Wolf <gwolf@debian.org> (supplier of updated drupal7 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 22 Jun 2017 11:56:08 -0500
Source: drupal7
Binary: drupal7
Architecture: source all
Version: 7.52-2+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Gunnar Wolf <gwolf@debian.org>
Changed-By: Gunnar Wolf <gwolf@debian.org>
Description:
 drupal7    - fully-featured content management framework
Closes: 891150 891152 891153 891154
Changes:
 drupal7 (7.52-2+deb9u2) stretch-security; urgency=high
 .
   * Added missing DEP5 header to SA-CORE-2017-003 patch
   * Uncruft: Remove an unused .dpatch file still from the drupal6 era(!)
   * Fixes multiple security vulnerabilities, grouped under Drupal's
     SA-CORE-2018-001 (CVEs yet unassigned):
     - External link injection on 404 pages when linking to the current
       page (Closes: #891154)
     - jQuery vulnerability with untrusted domains (Closes: #891153)
     - Private file access bypass (Closes: #891152)
     - JavaScript cross-site scripting prevention is incomplete (Closes:
       #891150)
Checksums-Sha1:
 225c3982bfbd02b3db5459c311743639d93e6603 1904 drupal7_7.52-2+deb9u2.dsc
 24a69c198db2358aa28e24e4ff32aafcd1f2ef38 192124 drupal7_7.52-2+deb9u2.debian.tar.xz
 c4fcd864d0f3d50b11bc9c6fed046234226be95f 2517480 drupal7_7.52-2+deb9u2_all.deb
 83a9790be1b87c47310704d9e1c202d72c4b4340 8574 drupal7_7.52-2+deb9u2_amd64.buildinfo
Checksums-Sha256:
 87509fea6f62f7c2aeda059b6086eaccb9f0282289746befb18a9be98847dc88 1904 drupal7_7.52-2+deb9u2.dsc
 ee93b46c165829788e062ca3a03f9bcd4782fbebb84bad834480dfb6256d4004 192124 drupal7_7.52-2+deb9u2.debian.tar.xz
 1db16f45bfcb17191bb2b18712bb97e736e809c6d49bcb7d387bb38f3b380d01 2517480 drupal7_7.52-2+deb9u2_all.deb
 0fa8447251ca25b58ee89cdf41363ac33b4ee5318d40429ce6f9afb0ced289aa 8574 drupal7_7.52-2+deb9u2_amd64.buildinfo
Files:
 23cafd996c10e83910ba27c93eed1dbd 1904 web extra drupal7_7.52-2+deb9u2.dsc
 82739f130e15ab1cf982800a7d9c27d6 192124 web extra drupal7_7.52-2+deb9u2.debian.tar.xz
 6c37f015793d430f388e56c6926e329b 2517480 web extra drupal7_7.52-2+deb9u2_all.deb
 686099084ea2eeeca6cca0da3ac3e0c0 8574 web extra drupal7_7.52-2+deb9u2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEq0HBxor9ZoygRev4ZzoD5MHbkh8FAlqQeAUACgkQZzoD5MHb
kh+vDg/+O19En/vanthhp4qmbtvWUsJ0o6slD+aF3o9ln24Pon72Z15a7wbmj7+m
Dz44qHPk034/sbDOQAuDYDUP5fL0V7JYh7rF6JL8w+FA4o62SIgMLYaeWFTS+S6+
F0J0Qa+9Xb+Bd6OBY3LiDtME4kVW1VD3se7IqYQ1qQrKNWedABzDHn7Un1p7DfYB
f2vIqLcsSPMagHj0judOfumoUsBrDLMU3S+/aGL2HjCIYV7ilFSIRlwLtItDOB03
sLOAUNue6X1BCmCLZxmIYw1f3IfiT3oqXpmwoCJ6UMHgh4Fg5LbTlLaBhkL5/4f7
pdvgdorRQTZSOSHnmLKIhmZEeLbR3LPaU6LaXpHF99gHoinQCfDOjuSPqeVTsVZc
NTTeGOh0NVRyBNKd6CXhkfK9ntSFh4xQXhhD9f/Ibmh/Co3CeILT6F0LklpkNfxE
kdmq0PgHe/rXc4R3NyfpzXJ9QZX6jmNQaNo3RQcVn1uY3V9V64CJaJUURCKfOS3t
LoB5Xo2tQCKXzW4GQ7kbAXG/9tX78+vGZBNnGLXgYBgyFeUFfzxZTy1XxqL5zoga
Q2E6YeZJZOJmdUDrKw9dI3/nuZ0ZW8vJgbUhVQlu3bqtEHu6wmhlLjfNMSEQW7SG
AT+SWTGGIpvAj7TCY1hr+ki0Li/ZGyM5KH9Pq4SG/TvwrS8Hn8s=
=gHlf
-----END PGP SIGNATURE-----

Message #33 received at 891152-close@bugs.debian.org (full text, mbox, reply):

From: Gunnar Wolf <gwolf@debian.org>

To: 891152-close@bugs.debian.org

Subject: Bug#891152: fixed in drupal7 7.32-1+deb8u10

Date: Sat, 10 Mar 2018 23:18:04 +0000

Source: drupal7
Source-Version: 7.32-1+deb8u10

We believe that the bug you reported is fixed in the latest version of
drupal7, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 891152@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gunnar Wolf <gwolf@debian.org> (supplier of updated drupal7 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 24 Feb 2018 01:06:57 -0600
Source: drupal7
Binary: drupal7
Architecture: source all
Version: 7.32-1+deb8u10
Distribution: jessie-security
Urgency: high
Maintainer: Luigi Gangitano <luigi@debian.org>
Changed-By: Gunnar Wolf <gwolf@debian.org>
Description:
 drupal7    - fully-featured content management framework
Closes: 891150 891152 891153 891154
Changes:
 drupal7 (7.32-1+deb8u10) jessie-security; urgency=high
 .
   * Fixes multiple security vulnerabilities, grouped under Drupal's
     SA-CORE-2018-001 (CVEs yet unassigned):
     - External link injection on 404 pages when linking to the current
       page (Closes: #891154)
     - jQuery vulnerability with untrusted domains (Closes: #891153)
     - Private file access bypass (Closes: #891152)
     - JavaScript cross-site scripting prevention is incomplete (Closes:
       #891150)
Checksums-Sha1:
 eae0fea90d6e695a2977d074d653d3b2e3afa0f2 1915 drupal7_7.32-1+deb8u10.dsc
 07205490873a9e2ee71015105242471f22f04e03 203464 drupal7_7.32-1+deb8u10.debian.tar.xz
 bb81220b8a9dd183d900174cdce3f1e95b7bb85b 2470428 drupal7_7.32-1+deb8u10_all.deb
 6f616bdcca1e94d0ce9281b76d9f1695724d7c28 8581 drupal7_7.32-1+deb8u10_amd64.buildinfo
Checksums-Sha256:
 63f2e73915750d0459987c1180ffd64be12140cb33c6d4de4512c51e8b362d7f 1915 drupal7_7.32-1+deb8u10.dsc
 64e6a3f0bdb5b712e6baef113e07821b68149db948cb0351b269ad62602f78e7 203464 drupal7_7.32-1+deb8u10.debian.tar.xz
 01b22847c274954ab80d6641449feac10c4084ec2747aa1b1046a6eb39160df9 2470428 drupal7_7.32-1+deb8u10_all.deb
 d1f1e59aeadce1b3dbd37da206fb3eaf23daff51f3174b7a6eb76bc09b81a2fb 8581 drupal7_7.32-1+deb8u10_amd64.buildinfo
Files:
 c415847e5d547e0b30d6867b3dc5e03e 1915 web extra drupal7_7.32-1+deb8u10.dsc
 6b546c8dde289dbde9cf33f0c0719a42 203464 web extra drupal7_7.32-1+deb8u10.debian.tar.xz
 975ab41fb6df1a6430e4c5ba38f24f2e 2470428 web extra drupal7_7.32-1+deb8u10_all.deb
 0fd5847b9b75374d2458d642612495cb 8581 web extra drupal7_7.32-1+deb8u10_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEq0HBxor9ZoygRev4ZzoD5MHbkh8FAlqRENwACgkQZzoD5MHb
kh9mVxAApeLeACgYPmOWhmY28M2gGx4+slvlI5ZxBYiIJflX2ksOd9aIRP52GhrJ
n7E5lVsfeOyoKSlH5YfIKGAfBePCNZRep8YyErUbvmwvDd5276fHBdg60/0EEj/S
TwIu7saxlCsFq7tw8w6ftl2sMMb5W/KtEDAxeCGeUmlArk2Hh9SgX0+x+pmudRXv
HD86fFFoHmlkLYJLFeu4LouoZvriAW5arp1Ysg0oO3QMgkczA7c8KYMk074enaMQ
vmldEjql5MrwZ9PwTOIfWnTqaYK25tO3qTEn6iPNiH/+RKkYKbtBdfYcrXN9Db1L
c5SI7DbsNAgPR2dL3NrDbEgID1e6zCekloLKNnki8Xp11/ZZj6KE3qRzgaXCjinM
NHfS+yF2EQuoaE+PqakItvfSbgWeODg1A5yr0p7vjHnkpkpqsIJ+zHmhUA7wgcWi
+cN/yl8d1fT2iZU3lp4XfwSDRsC406RaFeWbjB4LgOJtf4ogku1RxPtYhts9GGwS
kepKza6hpWQ0hgyyjbA7tC67pcF4FQ/WhZQMojpjzYZZZza0CUDloNvfU//Tdpsb
7QG7jckJgN+X0DforTyQUv5JeupGrqaTBS5Q6p84Qvo73O+a/Pa9czjZPXdnTan9
jES5FgA++A++Vg5NGtL9WVpKdUaOvE1ivK1dR68Q664xtveydxk=
=GrLL
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.