Debian Bug report logs -
#896701
drupal7: CVE-2018-7602: SA-CORE-2018-004
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 23 Apr 2018 18:57:02 UTC
Severity: grave
Tags: security, upstream
Found in version drupal7/7.32-1
Fixed in versions drupal7/7.52-2+deb9u4, drupal7/7.32-1+deb8u12
Done: Gunnar Wolf <gwolf@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Gunnar Wolf <gwolf@debian.org>:
Bug#896701; Package src:drupal7.
(Mon, 23 Apr 2018 18:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Gunnar Wolf <gwolf@debian.org>.
(Mon, 23 Apr 2018 18:57:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: drupal7
Version: 7.32-1
Severity: grave
Tags: security upstream
Hi,
The following vulnerability was published for drupal7.
CVE-2018-7602[0]:
SA-CORE-2018-004
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-7602
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7602
[1] https://www.drupal.org/psa-2018-003
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#896701; Package src:drupal7.
(Mon, 23 Apr 2018 19:09:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Gunnar Wolf <gwolf@debian.org>:
Extra info received and forwarded to list.
(Mon, 23 Apr 2018 19:09:02 GMT) (full text, mbox, link).
Message #10 received at submit@bugs.debian.org (full text, mbox, reply):
Salvatore Bonaccorso dijo [Mon, Apr 23, 2018 at 08:53:38PM +0200]:
> The following vulnerability was published for drupal7.
>
> CVE-2018-7602[0]:
> SA-CORE-2018-004
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2018-7602
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7602
> [1] https://www.drupal.org/psa-2018-003
Rather than published, they were forewarned. They will be published
two days from now (when I expect to patch right away!)
Thanks,
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#896701; Package src:drupal7.
(Mon, 23 Apr 2018 19:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Gunnar Wolf <gwolf@debian.org>:
Extra info received and forwarded to list.
(Mon, 23 Apr 2018 19:09:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Gunnar Wolf <gwolf@debian.org>:
Bug#896701; Package src:drupal7.
(Mon, 23 Apr 2018 19:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Gunnar Wolf <gwolf@debian.org>.
(Mon, 23 Apr 2018 19:21:04 GMT) (full text, mbox, link).
Message #20 received at 896701@bugs.debian.org (full text, mbox, reply):
Hi,
On Mon, Apr 23, 2018 at 02:04:33PM -0500, Gunnar Wolf wrote:
> Salvatore Bonaccorso dijo [Mon, Apr 23, 2018 at 08:53:38PM +0200]:
> > The following vulnerability was published for drupal7.
> >
> > CVE-2018-7602[0]:
> > SA-CORE-2018-004
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2018-7602
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7602
> > [1] https://www.drupal.org/psa-2018-003
>
> Rather than published, they were forewarned. They will be published
> two days from now (when I expect to patch right away!)
Yes that was just a poorly worded bugreport of mine. Its just a
prenotification yet, and the known CVE id for it.
Regards,
Salvatore
Reply sent
to Gunnar Wolf <gwolf@debian.org>:
You have taken responsibility.
(Mon, 30 Apr 2018 13:21:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 30 Apr 2018 13:21:08 GMT) (full text, mbox, link).
Message #25 received at 896701-close@bugs.debian.org (full text, mbox, reply):
Source: drupal7
Source-Version: 7.52-2+deb9u4
We believe that the bug you reported is fixed in the latest version of
drupal7, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 896701@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gunnar Wolf <gwolf@debian.org> (supplier of updated drupal7 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 25 Apr 2018 13:23:46 -0500
Source: drupal7
Binary: drupal7
Architecture: source all
Version: 7.52-2+deb9u4
Distribution: stretch-security
Urgency: high
Maintainer: Gunnar Wolf <gwolf@debian.org>
Changed-By: Gunnar Wolf <gwolf@debian.org>
Description:
drupal7 - fully-featured content management framework
Closes: 896701
Changes:
drupal7 (7.52-2+deb9u4) stretch-security; urgency=high
.
* Move repository from Alioth to Salsa; update Vcs-Git and Vcs-Browser
accordingly
* SA-CORE-2018-004: Fix remote code execution vulnerability (CVE-2018-
7602) (Closes: #896701)
Checksums-Sha1:
03ccc79067dc648aecc5c1c329b62b0e6fae8a90 1877 drupal7_7.52-2+deb9u4.dsc
643f2cea005e9bcde53b5503b064d38c46715105 194372 drupal7_7.52-2+deb9u4.debian.tar.xz
32ad31e6427a77db7065c6af57e550d2845a2f75 2518500 drupal7_7.52-2+deb9u4_all.deb
9b2b903209a2837739441379a77d75478e05b522 8834 drupal7_7.52-2+deb9u4_amd64.buildinfo
Checksums-Sha256:
158b02087045513fc42e1c471b949d810040ac4f01d3f69f6f884dae79bf6f1c 1877 drupal7_7.52-2+deb9u4.dsc
6396e39d06a235acfa0f0400c7f888803c382cecbede3327436b3df3f9c48e9e 194372 drupal7_7.52-2+deb9u4.debian.tar.xz
c445781b1dfa715f889b9d6ecb02eab5a288aa553716e3c40ce073cdf0c32e6a 2518500 drupal7_7.52-2+deb9u4_all.deb
79be90be0f4af8ff5a4223b9666476eec4fbb1e3751e55f011e44ee5355b67ef 8834 drupal7_7.52-2+deb9u4_amd64.buildinfo
Files:
fc394d338095728d81792952978b2e9f 1877 web extra drupal7_7.52-2+deb9u4.dsc
9b4940653dad83597347fd1a97e37b70 194372 web extra drupal7_7.52-2+deb9u4.debian.tar.xz
898f4f080607f9b233932956692a710c 2518500 web extra drupal7_7.52-2+deb9u4_all.deb
1f759e7e4216f2e1c38ceba5f3027cef 8834 web extra drupal7_7.52-2+deb9u4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEq0HBxor9ZoygRev4ZzoD5MHbkh8FAlrgx94ACgkQZzoD5MHb
kh+SwhAApHq6xHcs62h8jZ4IapxxtJ4sIbpndlCw07oAwOKwNZJTi2ZLq4HcATgC
OX0ka4icb2cE+UoeTdnzXmL578AeY+R3rH7XJPg2hDvep8ciswTzcmcXol/4e8v+
oM1O7khhcEb5lvnI1xpPTteJPF5/CjCCcIxnxbr7Fp6pkBet0IG3gEUL6HlXjdaP
4/JYguVlgPEf3Iiowc1np+fQuAqcjJRYSvJ7rkLCix+PH2+S/Ph459lSIroYhKuc
FgY9DjijXUvF7xyKtUh9ZlpPgszXSiS402eBK4D4JyQSIEx6j/xAK03zIhZKEiI7
GtiSRAYxgkmJnLvJ+/9uOzppUZRvHXNZuM6hjsjAGHU4tVhPrAFyEfT7Ibs1EFAd
ujmq77nxNuXw0BbbmqFPTI/Xsd5NJXAFT8I336ObbJXRir056DFfMeodtSWCU84v
7OAoH6erzDmxGBS8DZEdYZFyuIAUOHRD3YrdsuQTErQsBddISotJwAof6DBeL5Na
Yirbx0vCknRTkW25v5P7ESkpKqe8DpC26FalKwO68LHWw7komXpFE7/OpfBFQMtt
3zZOWobU4vvtww2H2n5x8yliDWoNCRWNsBZe0so1XvbEHq/Fsw5Z4DZ1D06vucNz
v3a84XlfZ+LYaSikfj7nCWffPZv2a+3WZYhZDSevkNE7hU4NIQk=
=k5zU
-----END PGP SIGNATURE-----
Reply sent
to Gunnar Wolf <gwolf@debian.org>:
You have taken responsibility.
(Mon, 30 Apr 2018 13:21:11 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 30 Apr 2018 13:21:11 GMT) (full text, mbox, link).
Message #30 received at 896701-close@bugs.debian.org (full text, mbox, reply):
Source: drupal7
Source-Version: 7.32-1+deb8u12
We believe that the bug you reported is fixed in the latest version of
drupal7, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 896701@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gunnar Wolf <gwolf@debian.org> (supplier of updated drupal7 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 25 Apr 2018 13:48:27 -0500
Source: drupal7
Binary: drupal7
Architecture: source all
Version: 7.32-1+deb8u12
Distribution: jessie-security
Urgency: high
Maintainer: Luigi Gangitano <luigi@debian.org>
Changed-By: Gunnar Wolf <gwolf@debian.org>
Description:
drupal7 - fully-featured content management framework
Closes: 896701
Changes:
drupal7 (7.32-1+deb8u12) jessie-security; urgency=high
.
* Move repository from Alioth to Salsa; update Vcs-Git and Vcs-Browser
accordingly
* SA-CORE-2018-004: Fix remote code execution vulnerability (CVE-2018-
7602) (Closes: #896701)
Checksums-Sha1:
9ec7424bd0a07d4beb0c4991bee9086da8ce2896 1888 drupal7_7.32-1+deb8u12.dsc
f766f539cabb2cbba9a74765405dcea880214003 205408 drupal7_7.32-1+deb8u12.debian.tar.xz
299a6d7ca755c67ffad55a004ea716f502ee7e31 2471652 drupal7_7.32-1+deb8u12_all.deb
883d1785b8fb7c068eba6225ad55efbb47ef6f98 8841 drupal7_7.32-1+deb8u12_amd64.buildinfo
Checksums-Sha256:
ff7fd769a286caa2b336fa6330709f84dde5e223bb15953c4cfc196d7296872a 1888 drupal7_7.32-1+deb8u12.dsc
f56d35045db5ab31dfa80013a2d5ab22daa52c8c128a821090f1d2a48267cd14 205408 drupal7_7.32-1+deb8u12.debian.tar.xz
1026fc41af4f9cd33e4f6e59f30ab6593bcf4b45dae3e7dc56b0bbe1fe9b31d6 2471652 drupal7_7.32-1+deb8u12_all.deb
1432cb3e991d5d2248aa5c3c0133d669f804e36f35621777d568a72f295cdbb9 8841 drupal7_7.32-1+deb8u12_amd64.buildinfo
Files:
97b3e043afc6fe4ae4005f8b40edd73a 1888 web extra drupal7_7.32-1+deb8u12.dsc
ffc6e72c612f7e1496c6aefe070925a4 205408 web extra drupal7_7.32-1+deb8u12.debian.tar.xz
18d7f272161b74dd12a7ab28d8fd4759 2471652 web extra drupal7_7.32-1+deb8u12_all.deb
eef4bdfb468bec34b2943624d1404d23 8841 web extra drupal7_7.32-1+deb8u12_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEq0HBxor9ZoygRev4ZzoD5MHbkh8FAlrgzd4ACgkQZzoD5MHb
kh+Waw/+LL62T+GoMYcsIYAZ78w24p6xgIOe49EUlYAQmf1GZqXCxIZYcdwUF9Rm
5oQX36kSwb15ueAFckP3h8A4XDHcQIENCbWDIorEPXCIk4yIHi5Mr0y5wxDwkJp8
+YCpeqyuQBOZUvCPw8Pqp8DYedecS2FDklaPHh/buNiMh8wrh076LSi/adRdqxPo
s7+SIGX3lJdfLuolBPhK5zaxUkl/lXZ+3gDjQdrWWVt+d7x9cm8Z0StuYIDC3vfs
Wvlv03nSb1HAF6V1vtTXA3ZxpJ9JDgEbaKJWuwjFkKSvtZRfVgRy0D+2DGGKVN5O
I0tIIAswbPYMcThoDqUAJm/Tdb16PtZ/ydbHcMIxCmzv5siQy9XofHXYfMXg3724
UrUm2B4EY++q+NOTL4acAVhblkI5iL+vyou87wiUhm0B9yIz+KuMZP3e3Y+j3Zul
cybxI2JOukjEgCvNI91u6+ZCduW8+XJ1agjFX0uIra7u64bZ9iLumUosZzdAcA1n
PBRgfQJf97fcjyYp7Y5J+5fOKpj1RSSJ5xTUvgQq4QfOsHdJurdHk1y9dyFTuc6n
7UCU3ie0+eKFgpF5+0y0re61H/pJv4ajuoOEtBTyli50ORM8amujZab/anlRoza9
RBcgo7dBTM2+2jSEgbSUYHZUh4CJJ9TT5U1mw+WXT4tmQ9mmlpY=
=pAu/
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 12 Aug 2018 07:24:46 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:19:03 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon