[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DSA 3897-1] drupal7 security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3897-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 24, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : drupal7
CVE ID         : CVE-2015-7943 CVE-2017-6922
Debian Bug     : 865498

Two vulnerabilities were discovered in Drupal, a fully-featured content
management framework. The Common Vulnerabilities and Exposures project
identifies the following issues:

CVE-2015-7943

    Samuel Mortenson and Pere Orga discovered that the overlay module
    does not sufficiently validate URLs prior to displaying their
    contents, leading to an open redirect vulnerability.

    More information can be found at
    https://www.drupal.org/SA-CORE-2015-004

CVE-2017-6922

    Greg Knaddison, Mori Sugimoto and iancawthorne discovered that files
    uploaded by anonymous users into a private file system can be
    accessed by other anonymous users leading to an access bypass
    vulnerability.

    More information can be found at
    https://www.drupal.org/SA-CORE-2017-003

For the oldstable distribution (jessie), these problems have been fixed
in version 7.32-1+deb8u9.

For the stable distribution (stretch), these problems have been fixed in
version 7.52-2+deb9u1. For the stable distribution (stretch),
CVE-2015-7943 was already fixed before the initial release.

We recommend that you upgrade your drupal7 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAllN9+FfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0RsPw/+OI+sKb7Tug9hTpQSFiBNVkBqUCd3pvBofmVvu+peF/YTIL6iY/b9Gi5o
Q86Jzj9Fnnv8rRVgVDuWWsUMi+hOcu8DzUEiEFB181rsU52xJX+CI5jvgjTRqr3R
JFC8iGEELc09bUccmfBzujYx7XvUkUrodhjxhdphfi2cLIs9l10RYZGQZMpKTG8A
MzC60GUCCWLbn20pvS2FgLPQSbMatS6kfT76xU7v2zpI78UDhuefqD9cFCqMNpA8
7sYyqIp+cLSS4abzfQFPjzbxqrsRlRwyS5WRIbFwxGefBJWDigDEOgwmAvjiHC17
lv6j7dgzdzJaGmsVdGjiKnG8GXMly5Jk7zA+c52LEkm9d5HsYX6mXwF6XLJypQT3
jDBpmBzyuZvBs8fZNNOv2Ym5X81BSDRx4LvFGMrkfrucZ6GEIHtxs4gPN4n/nfy8
+yhWG7tPqhnQQTyEV1aSBK5h0YwEpCkxRNEB4C8MjA69E8AhzEgu8bdiiKnGSjWP
lZzkOs1gFgM+J5CR1RdxNWRvuR3Evf3H7QH5aanYAGBlCwG08NoN0DHgmK1NaScK
kCD7wOWqe1eZxpjpP9KpZrloOBr1rLl5IDEUffDakNfzXnrFyNEnBth7sCvUimfR
ash56i1MHn7n39RflEqZ1cctr/Wf4fnsBcTbVNRTKLSL+GG1hAs=
=qpVD
-----END PGP SIGNATURE-----


Reply to: