From security em unicamp.br  Thu Aug 13 09:25:37 2015
From: security em unicamp.br (CSIRT - UNICAMP)
Date: Thu, 13 Aug 2015 09:25:37 -0300
Subject: [SECURITY-L] =?iso-8859-1?q?CAIS-Alerta=3A_Resumo_dos_Boletins_de?=
 =?iso-8859-1?q?_Seguran=E7a_da_Microsoft_-_Agosto/2015?=
Message-ID: <20150813122537.GD26382@unicamp.br>

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

Date: Wed, 12 Aug 2015 14:54:07 -0300 (BRT)
From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br, pop-seg em cais.rnp.br
cc: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Resumo dos Boletins de Segurança da Microsoft - Agosto/2015

Prezados,

A Microsoft publicou 13 boletins de segurança em 11 de agosto de 2015 que 
abordam ao todo 58 vulnerabilidades em produtos da empresa. As explorações 
destas vulnerabilidades permitem execução de código remota, elevação de 
privilégio e divulgação de informações.

Até o momento da publicação deste alerta não foram divulgados códigos de 
exploração para as vulnerabilidades listadas.

 

Severidade

Crítica

·         MS15-079 . Atualização de segurança para Internet Explorer
·         MS15-080 . Vulnerabilidades no Microsoft Graphics Component pode permitir execução de código remota
·         MS15-081 . Vulnerabilidades no Microsoft Office pode permitir execução de código remota
·         MS15-091 . Atualização de segurança para Microsoft Edge
 

Importante

·         MS15-082 . Vulnerabilidades no RDP pode permitir execução de 
código remota
·         MS15-083 . Vulnerabilidade no Server Message Block pode permitir 
execução de código remota
·         MS15-084 . Vulnerabilidades no XML Core Services pode permitir 
divulgação de informações
·         MS15-085 . Vulnerabilidade no Mount Manager pode permitir 
elevação de privilégio
·         MS15-086 . Vulnerabilidade no System Center Operations Manager 
pode permitir elevação de privilégio
·         MS15-087 . Vulnerabilidade no UDDI Services pode permitir 
elevação de privilégio
·         MS15-088 . Errôneo Command Line Parameter Passing pode permitir 
divulgação de informações
·         MS15-089 . Vulnerabilidade no WebDAV pode permitir divulgação de 
informações
·         MS15-090 . Vulnerabilidades no Microsoft Windows pode permitir 
elevação de privilégio
 

Moderada

Nenhum boletim



Baixa

Nenhum boletim

 

O sistema de classificação de severidade das vulnerabilidades adotado pelo 
CAIS é o da própria Microsoft. O CAIS recomenda que se apliquem as 
correções para vulnerabilidades classificadas como crítica e importante. 
No caso de correções para vulnerabilidades classificadas como moderadas o 
CAIS recomenda que ao menos as recomendações de mitigação sejam seguidas.

·         Crítica - Vulnerabilidades cuja exploração possa permitir a 
propagação de um worm sem a necessidade de interação com o usuário.
·         Importante - Vulnerabilidades cuja exploração possa resultar no 
comprometimento de confidencialidade, integridade ou disponibilidade de 
dados de usuários ou a integridade ou disponibilidade de recursos de 
processamento.
·         Moderada - exploração é mitigada significativamente por fatores 
como configuração padrão, auditoria ou dificuldade de exploração.
·         Baixa - uma vulnerabilidade cuja exploração seja extremamente 
difícil ou cujo impacto seja mínimo.

 

Correções disponíveis

Recomenda-se atualizar os sistemas para as versões disponíveis em:

Microsoft Update

https://www.update.microsoft.com/microsoftupdate

Microsoft Download Center

http://www.microsoft.com/en-us/download/default.aspx

 

Mais informações

Resumo do Boletim de Segurança da Microsoft de agosto de 2015

https://technet.microsoft.com/pt-BR/library/security/ms15-aug.aspx

Microsoft TechCenter de Segurança

https://technet.microsoft.com/pt-br/security

Microsoft Security Response Center - MSRC

https://technet.microsoft.com/pt-br/security/dn440717

Microsoft Security Research & Defense - MSRD

http://blogs.technet.com/b/srd/

Central de Proteção e Segurança Microsoft

https://www.microsoft.com/pt-br/security/default.aspx

 

Identificador CVE (http://cve.mitre.org):

CVE-2015-2423
CVE-2015-2441
CVE-2015-2442
CVE-2015-2443
CVE-2015-2444
CVE-2015-2445
CVE-2015-2446
CVE-2015-2447
CVE-2015-2448
CVE-2015-2449
CVE-2015-2450
CVE-2015-2451
CVE-2015-2452
CVE-2015-2431
CVE-2015-2432
CVE-2015-2433
CVE-2015-2435
CVE-2015-2453
CVE-2015-2454
CVE-2015-2455
CVE-2015-2456
CVE-2015-2458
CVE-2015-2459
CVE-2015-2460
CVE-2015-2461
CVE-2015-2462
CVE-2015-2463
CVE-2015-2464
CVE-2015-2465
CVE-2015-1642
CVE-2015-2423
CVE-2015-2466
CVE-2015-2467
CVE-2015-2468
CVE-2015-2469
CVE-2015-2470
CVE-2015-2477
CVE-2015-2472
CVE-2015-2473
CVE-2015-2474
CVE-2015-2434
CVE-2015-2440
CVE-2015-2471
CVE-2015-1769
CVE-2015-2420
CVE-2015-2475
CVE-2015-2423
CVE-2015-2476
CVE-2015-2428
CVE-2015-2429
CVE-2015-2430
CVE-2015-2441
CVE-2015-2442
CVE-2015-2446
CVE-2015-2449
CVE-2015-2479
CVE-2015-2480
CVE-2015-2481


O CAIS recomenda que os administradores mantenham seus sistemas e 
aplicativos sempre atualizados, de acordo com as últimas versões e 
correções oferecidas pelos fabricantes.

Os alertas do CAIS também são oferecidos no Twitter:

Siga @caisrnp

Atenciosamente,

################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS)     #
#       Rede Nacional de Ensino e Pesquisa (RNP)               #
#                                                              #
# cais em cais.rnp.br       http://www.rnp.br/servicos/seguranca  #
# Tel. 019-37873300      Fax. 019-37873301                     #
# Chave PGP disponivel   http://www.cais.rnp.br/cais-pgp.key   #
################################################################


----- End forwarded message -----



From security em unicamp.br  Fri Aug 14 13:24:55 2015
From: security em unicamp.br (CSIRT Unicamp)
Date: Fri, 14 Aug 2015 13:24:55 -0300
Subject: [SECURITY-L] OpenSSH vulnerabilities
In-Reply-To: <55CE0C3A.8030108@canonical.com>
References: <55CE0C3A.8030108@canonical.com>
Message-ID: <55CE1657.1070905@unicamp.br>

-------- Forwarded Message --------
Assunto: 	[USN-2710-1] OpenSSH vulnerabilities
Data: 	Fri, 14 Aug 2015 11:41:46 -0400
De: 	Marc Deslauriers <marc.deslauriers em canonical.com>
Responder a: 	ubuntu-users em lists.ubuntu.com, Ubuntu Security
<security em ubuntu.com>
Para: 	ubuntu-security-announce em lists.ubuntu.com



==========================================================================
Ubuntu Security Notice USN-2710-1
August 14, 2015

openssh vulnerabilities
==========================================================================


Summary:

Several security issues were fixed in OpenSSH.

Software Description:
- openssh: secure shell (SSH) for secure access to remote machines

Details:

Moritz Jodeit discovered that OpenSSH incorrectly handled usernames when
using PAM authentication. If an additional vulnerability were discovered in
the OpenSSH unprivileged child process, this issue could allow a remote
attacker to perform user impersonation. (CVE number pending)

Moritz Jodeit discovered that OpenSSH incorrectly handled context memory
when using PAM authentication. If an additional vulnerability were
discovered in the OpenSSH unprivileged child process, this issue could
allow a remote attacker to bypass authentication or possibly execute
arbitrary code. (CVE number pending)

Jann Horn discovered that OpenSSH incorrectly handled time windows for
X connections. A remote attacker could use this issue to bypass certain
access restrictions. (CVE-2015-5352)

It was discovered that OpenSSH incorrectly handled keyboard-interactive
authentication. In a non-default configuration, a remote attacker could
possibly use this issue to perform a brute-force password attack.
(CVE-2015-5600)


References:
  http://www.ubuntu.com/usn/usn-2710-1
  CVE-2015-5352, CVE-2015-5600

-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.listas.unicamp.br/pipermail/security-l/attachments/20150814/e3c297a7/attachment.html>
-------------- Próxima Parte ----------
-- 
ubuntu-security-announce mailing list
ubuntu-security-announce em lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


From security em unicamp.br  Thu Aug 20 09:56:10 2015
From: security em unicamp.br (CSIRT - UNICAMP)
Date: Thu, 20 Aug 2015 09:56:10 -0300
Subject: [SECURITY-L] [security-news@drupal.org: [Security-news] Drupal Core
 - Critical - Multiple Vulnerabilities - SA-CORE-2015-003]
Message-ID: <20150820125609.GD28838@unicamp.br>

----- Forwarded message from security-news em drupal.org -----

Date: Wed, 19 Aug 2015 21:33:24 +0000 (UTC)
From: security-news em drupal.org
To: security-news em drupal.org
Subject: [Security-news] Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2015-003
X-Mailer: Drupal

View online: https://www.drupal.org/SA-CORE-2015-003

   * Advisory ID: DRUPAL-SA-CORE-2015-003
   * Project: Drupal core [1]
   * Version: 6.x, 7.x
   * Date: 2015-August-19
   * Security risk: 18/25 ( Critical)
     AC:Complex/A:User/CI:All/II:All/E:Proof/TD:All [2]
   * Vulnerability: Cross Site Scripting, Access bypass, SQL Injection, Open
     Redirect, Multiple vulnerabilities

This security advisory fixes multiple vulnerabilities.  See below for a list.

-------- CROSS-SITE SCRIPTING - AJAX SYSTEM - DRUPAL 7
-----------------------

A vulnerability was found that allows a malicious user to perform a
cross-site scripting attack by invoking Drupal.ajax() on a whitelisted HTML
element.

This vulnerability is mitigated on sites that do not allow untrusted users to
enter HTML.

Drupal 6 core is not affected, but see the similar advisory for the Drupal 6
contributed Ctools module: SA-CONTRIB-2015-141 [3].

-------- CROSS-SITE SCRIPTING - AUTOCOMPLETE SYSTEM - DRUPAL 6 AND 7
---------

A cross-site scripting vulnerability was found in the autocomplete
functionality of forms. The requested URL is not sufficiently sanitized.

This vulnerability is mitigated by the fact that the malicious user must be
allowed to upload files.

-------- SQL INJECTION - DATABASE API - DRUPAL 7
-----------------------------

A vulnerability was found in the SQL comment filtering system which could
allow a user with elevated permissions to inject malicious code in SQL
comments.

This vulnerability is mitigated by the fact that only one contributed module
that the security team found uses the comment filtering system in a way that
would trigger the vulnerability.  That module requires you to have a very
high level of access in order to perform the attack.

-------- CROSS-SITE REQUEST FORGERY - FORM API - DRUPAL 6 AND 7
--------------

A vulnerability was discovered in Drupal's form API that could allow file
upload value callbacks to run with untrusted input, due to form token
validation not being performed early enough. This vulnerability could allow a
malicious user to upload files to the site under another user's account.

This vulnerability is mitigated by the fact that the uploaded files would be
temporary, and Drupal normally deletes temporary files automatically after 6
hours.

-------- INFORMATION DISCLOSURE IN MENU LINKS -  ACCESS SYSTEM - DRUPAL 6 AND
           7
-------------------------------------------------------------------

Users without the "access content" permission can see the titles of nodes
that they do not have access to, if the nodes are added to a menu on the site
that the users have access to.

-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

   * /CVE identifiers [4] have been requested and will be added upon issuance,
     in accordance with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

   * Drupal core 6.x versions prior to 6.37
   * Drupal core 7.x versions prior to 7.39

-------- SOLUTION
------------------------------------------------------------

Install the latest version:

   * If you use Drupal 6.x, upgrade to Drupal core 6.37 [5]
   * If you use Drupal 7.x, upgrade to Drupal core 7.39 [6]

Also see the Drupal core [7] project page.

-------- CREDITS
-------------------------------------------------------------

.... Cross-site Scripting - Ajax system - Drupal 7

.. Reported by

   * Régis Leroy [8]
   * Kay Leung [9], Drupal core JavaScript maintainer
   * Samuel Mortenson [10]
   * Pere Orga [11] of the Drupal Security Team

.. Fixed by

   * Théodore Biadala [12], Drupal core JavaScript maintainer
   * Alex Bronstein [13] of the Drupal Security Team
   * Ben Dougherty [14] of the Drupal Security Team
   * Gábor Hojtsy [15] of the Drupal Security Team
   * Greg Knaddison [16] of the Drupal Security Team
   * Kay Leung [17], Drupal core JavaScript maintainer
   * Wim Leers [18]
   * Samuel Mortenson [19]
   * Pere Orga [20] of the Drupal Security Team
   * Tim Plunkett [21]
   * David Rothstein [22] of the Drupal Security Team
   * Lee Rowlands [23] of the Drupal Security Team
   * Peter Wolanin [24] of the Drupal Security Team
   * znerol [25], maintainer of Authcache module

.... Cross-site Scripting - Autocomplete system - Drupal 6 and 7

.. Reported by

   * Alex Bronstein [26] of the Drupal Security Team
   * Pere Orga [27] of the Drupal Security Team

.. Fixed by

   * Alex Bronstein [28]  of the Drupal Security Team
   * Ben Dougherty [29]  of the Drupal Security Team
   * Tim Plunkett [30]
   * Lee Rowlands [31]  of the Drupal Security Team
   * Peter Wolanin [32] of the Drupal Security Team
   * David Rothstein [33] of the Drupal Security Team

.... SQL Injection - Database API - Drupal 7

.. Reported by

   * Carl Sabottke [34]

.. Fixed by

   * Anthony Ferrara [35]
   * Larry Garfield [36]
   * Greg Knaddison [37]  of the Drupal Security Team
   * Cathy Theys [38] provisional member of the Drupal Security Team
   * Peter Wolanin [39]  of the Drupal Security Team

.... Cross-site Request Forgery - Form API - Drupal 6 and 7

.. Reported by

   * Abdullah Hussam [40]

.. Fixed by

   * Greg Knaddison [41] of the Drupal Security Team
   * Wim Leers [42]
   * David Rothstein [43] of the Drupal Security Team
   * Lee Rowlands [44] of the Drupal Security Team
   * Peter Wolanin [45] of the Drupal Security Team

.... Information Disclosure in Menu Links -  Access system - Drupal 6 and 7

.. Reported by

   * David_Rothstein [46] of the Drupal Security Team

.. Fixed by

   * Matt Chapman [47] of the Drupal Security Team
   * Stéphane Corlosquet [48] of the Drupal Security Team
   * Greg Knaddison [49] of the Drupal Security Team
   * Christian Meilinger [50]
   * David_Rothstein [51] of the Drupal Security Team
   * Lee Rowlands [52] of the Drupal Security Team

-------- COORDINATED BY
------------------------------------------------------

   * Alex Bronstein, Angie Byron, Michael Hess, Pere Orga, David Rothstein and
     Peter Wolanin of the The Drupal Security Team [53]

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [54].

Learn more about the Drupal Security team and their policies [55], writing
secure code for Drupal [56], and  securing your site [57].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [58]


[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/node/2554145
[4] http://cve.mitre.org/
[5] https://www.drupal.org/drupal-6.37-release-notes
[6] https://www.drupal.org/drupal-7.39-release-notes
[7] https://www.drupal.org/project/drupal
[8] https://www.drupal.org/u/regilero
[9] https://www.drupal.org/u/droplet
[10] https://www.drupal.org/u/samuel.mortenson
[11] https://www.drupal.org/u/pere-orga
[12] https://www.drupal.org/u/nod_
[13] https://www.drupal.org/u/effulgentsia
[14] https://www.drupal.org/u/benjy
[15] https://www.drupal.org/u/g%C3%A1bor-hojtsy
[16] https://www.drupal.org/u/greggles
[17] https://www.drupal.org/u/droplet
[18] https://www.drupal.org/u/wim-leers
[19] https://www.drupal.org/u/samuel.mortenson
[20] https://www.drupal.org/u/pere-orga
[21] https://www.drupal.org/u/tim.plunkett
[22] https://www.drupal.org/u/david_rothstein
[23] https://www.drupal.org/u/larowlan
[24] https://www.drupal.org/u/pwolanin
[25] https://www.drupal.org/u/znerol
[26] https://www.drupal.org/user/78040
[27] https://www.drupal.org/user/2301194
[28] https://www.drupal.org/u/effulgentsia
[29] https://www.drupal.org/u/benjy
[30] https://www.drupal.org/u/tim.plunkett
[31] https://www.drupal.org/u/larowlan
[32] https://www.drupal.org/user/49851
[33] https://www.drupal.org/u/david_rothstein
[34] https://www.drupal.org/u/csabot3
[35] https://www.drupal.org/u/ircmaxell
[36] https://www.drupal.org/u/crell
[37] https://www.drupal.org/u/greggles
[38] https://www.drupal.org/u/yesct
[39] https://www.drupal.org/u/pwolanin
[40] https://www.drupal.org/u/abdullah-hussam
[41] https://www.drupal.org/u/greggles
[42] https://www.drupal.org/u/wim-leers
[43] https://www.drupal.org/u/david_rothstein
[44] https://www.drupal.org/u/larowlan
[45] https://www.drupal.org/u/pwolanin
[46] https://www.drupal.org/u/David_Rothstein
[47] https://www.drupal.org/u/matt2000
[48] https://www.drupal.org/u/scor
[49] https://www.drupal.org/u/greggles
[50] https://www.drupal.org/u/meichr
[51] https://www.drupal.org/u/David_Rothstein
[52] https://www.drupal.org/u/larowlan
[53] https://www.drupal.org/security-team
[54] https://www.drupal.org/contact
[55] https://www.drupal.org/security-team
[56] https://www.drupal.org/writing-secure-code
[57] https://www.drupal.org/security/secure-configuration
[58] https://twitter.com/drupalsecurity

_______________________________________________
Security-news mailing list
Security-news em drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

----- End forwarded message -----



From security em unicamp.br  Thu Aug 20 09:57:43 2015
From: security em unicamp.br (CSIRT - UNICAMP)
Date: Thu, 20 Aug 2015 09:57:43 -0300
Subject: [SECURITY-L] [security-news@drupal.org: [Security-news] Ctools -
 Critical - Multiple Vulnerabilities - SA-CONTRIB-2015-141]
Message-ID: <20150820125743.GF28838@unicamp.br>

----- Forwarded message from security-news em drupal.org -----

Date: Wed, 19 Aug 2015 21:34:09 +0000 (UTC)
From: security-news em drupal.org
To: security-news em drupal.org
Subject: [Security-news] Ctools - Critical - Multiple Vulnerabilities - SA-CONTRIB-2015-141
X-Mailer: Drupal

View online: https://www.drupal.org/node/2554145

   * Advisory ID: DRUPAL-SA-CONTRIB-2015-141
   * Project: Chaos tool suite (ctools) [1]     (third-party module)
   * Version: 6.x, 7.x
   * Date: 2015-August-19
   * Security risk: 14/25 ( Moderately Critical)
     AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
   * Vulnerability: Cross Site Scripting, Access bypass, Multiple
     vulnerabilities

-------- DESCRIPTION
---------------------------------------------------------

.... Cross Site Scripting (XSS)

Ctools in Drupal 6 provides a number of APIs and extensions for Drupal, and
is a dependency for many of the most popular modules, including Views, Panels
and Entityreference. Many features introduced in Drupal Core once lived in
ctools.

This vulnerability can be mitigated by the fact that ctools must load its
javascript on the page and the user has access to submit data through a form
(such as a comment or node) that allows 'a' tags.

This patch is a backport for SA-CORE-2015-003 [3].

.... Access bypass

This module provides a number of APIs and extensions for Drupal, and is a
dependency for many of the most popular modules, including Views, Panels and
Features.

The module doesn't sufficiently verify the "edit" permission for the "content
type" plugins that are used on Panels and similar systems to place content
and functionality on a page.

This vulnerability is mitigated by the fact that the user must have access to
edit a display via a Panels display system, e.g. via Panels pages, Mini
Panels, Panel Nodes, Panelizer displays, IPE, Panels Everywhere, etc.
Furthermore, either a contributed module provides a CTools content type
plugin, or a custom plugin must be written that inherits permissions from
another plugin and must have a different permission defined; if no "edit"
permission is set up for the child object CTools did not check the
permissions of the parent object. One potential scenario would allow people
who did not have edit access to Fieldable Panels Panes panes, which were
specifically set to not be reusable, to edit them despite the person's lack
of access.


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

   * /A CVE identifier [4] will be requested, and added upon issuance, in
     accordance with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

Cross Site Scripting:

   * ctools 6.x-1.x versions prior to 6.x-1.14.

Access bypass:

   * ctools 6.x-1.x versions prior to 6.x-1.14.
   * ctools 7.x-1.x versions prior to 7.x-1.8.

Drupal core is not affected. If you do not use the contributed Chaos tool
suite (ctools) [5] module, there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

Install the latest version:

   * If you use the ctools module for Drupal 6.x, upgrade to ctools 6.x-1.14
     [6]
   * If you use the ctools module for Drupal 7.x, upgrade to ctools 7.x-1.8 
[7]

Also see the Chaos tool suite (ctools) [8] project page.

-------- REPORTED BY
---------------------------------------------------------

Cross Site Scripting:

   * Peter Wolanin [9] of the Drupal Security Team

Access bypass:

   * Andor Dávid [10]

-------- FIXED BY
------------------------------------------------------------

Cross Site Scripting:

   * James Gilliland [11] of the Drupal Security Team
   * Alex Bronstein [12], Drupal core patch coordinator
   * Kris Vanderwater [13] the module maintainer
   * Jakob Perry [14] the module maintainer

Access bypass:

   * Andor Dávid [15]
   * Damien McKenna [16], provisional member of the Drupal Security Team
   * Michael Miles [17] of the Drupal Security Team
   * Jakob Perry [18] the module maintainer

-------- COORDINATED BY
------------------------------------------------------

   * Pere Orga [19] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [20].

Learn more about the Drupal Security team and their policies [21], writing
secure code for Drupal [22], and  securing your site [23].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [24]


[1] https://www.drupal.org/project/ctools
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/SA-CORE-2015-003
[4] http://cve.mitre.org/
[5] https://www.drupal.org/project/ctools
[6] https://www.drupal.org/node/2554133
[7] https://www.drupal.org/node/2554141
[8] https://www.drupal.org/project/ctools
[9] https://www.drupal.org/u/pwolanin
[10] https://www.drupal.org/u/sweetchuck
[11] https://www.drupal.org/u/neclimdul
[12] https://www.drupal.org/user/78040
[13] https://www.drupal.org/user/61203
[14] https://www.drupal.org/user/45640
[15] https://www.drupal.org/u/sweetchuck
[16] https://www.drupal.org/u/damienmckenna
[17] https://www.drupal.org/u/mikemiles86
[18] https://www.drupal.org/u/japerry
[19] https://www.drupal.org/user/2301194
[20] https://www.drupal.org/contact
[21] https://www.drupal.org/security-team
[22] https://www.drupal.org/writing-secure-code
[23] https://www.drupal.org/security/secure-configuration
[24] https://twitter.com/drupalsecurity

_______________________________________________
Security-news mailing list
Security-news em drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

----- End forwarded message -----



From security em unicamp.br  Thu Aug 20 10:07:49 2015
From: security em unicamp.br (CSIRT - UNICAMP)
Date: Thu, 20 Aug 2015 10:07:49 -0300
Subject: [SECURITY-L] [security-news@drupal.org: [Security-news] Workbench
 Email - Moderately Critical - Access bypass - DRUPAL-SA-CONTRIB-2015-139]
Message-ID: <20150820130749.GH28838@unicamp.br>

----- Forwarded message from security-news em drupal.org -----

Date: Wed, 19 Aug 2015 17:27:01 +0000 (UTC)
From: security-news em drupal.org
To: security-news em drupal.org
Subject: [Security-news] Workbench Email - Moderately Critical - Access bypass - DRUPAL-SA-CONTRIB-2015-139
X-Mailer: Drupal

View online: https://www.drupal.org/node/2553971

   * Advisory ID: DRUPAL-SA-CONTRIB-2015-139
   * Project: Workbench Email [1]     (third-party module)
   * Version: 7.x
   * Date: 2015-August-19
   * Security risk: 10/25 ( Moderately Critical)
     AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:Default [2]
   * Vulnerability: Access bypass

-------- DESCRIPTION
---------------------------------------------------------

Workbench Email module provides a way for administrators to define email
transitions and configurable email subject / messages between those
transitions.

The module causes node and field validations to be skipped when saving nodes.

The vulnerability is mitigated by the fact that an attacker must have a role
with permission to create or update  nodes.


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

   * /A CVE identifier [3] will be requested, and added upon issuance, in
     accordance with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

   * Workbench Email 7.x-3.x versions prior to 7.x-3.4

Drupal core is not affected. If you do not use the contributed Workbench
Email [4] module, there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

Install the latest version:

   * If you use the Workbench Email module for Drupal 7.x, upgrade to 
Workbench
     Email 7.x-3.4 [5]

Also see the Workbench Email [6] project page.

-------- REPORTED BY
---------------------------------------------------------

   * Yves Chedemois [7]

-------- FIXED BY
------------------------------------------------------------

   * Brandon Tate [8] the module maintainer

-------- COORDINATED BY
------------------------------------------------------

   * Pere orga [9] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].

Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and  securing your site [13].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]


[1] https://www.drupal.org/project/workbench_email
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/workbench_email
[5] https://www.drupal.org/node/2484229
[6] https://www.drupal.org/project/workbench_email
[7] https://www.drupal.org/u/yched
[8] https://www.drupal.org/u/teknic
[9] https://www.drupal.org/u/pere-orga
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity

_______________________________________________
Security-news mailing list
Security-news em drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

----- End forwarded message -----



From security em unicamp.br  Thu Aug 20 10:16:04 2015
From: security em unicamp.br (CSIRT - UNICAMP)
Date: Thu, 20 Aug 2015 10:16:04 -0300
Subject: [SECURITY-L] [security-news@drupal.org: [Security-news] Search API
 Autocomplete - Moderately Critical - Cross Site Scripting (XSS) -
 SA-CONTRIB-2015-140]
Message-ID: <20150820131604.GJ28838@unicamp.br>

----- Forwarded message from security-news em drupal.org -----

Date: Wed, 19 Aug 2015 17:27:06 +0000 (UTC)
From: security-news em drupal.org
To: security-news em drupal.org
Subject: [Security-news] Search API Autocomplete - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-140
X-Mailer: Drupal

View online: https://www.drupal.org/node/2553977

   * Advisory ID: DRUPAL-SA-CONTRIB-2015-140
   * Project: Search API Autocomplete [1]     (third-party module)
   * Version: 7.x
   * Date: 2015-August-19
   * Security risk: 6/25 ( Less Critical)
     AC:Complex/A:User/CI:None/II:None/E:Theoretical/TD:Default [2]
   * Vulnerability: Cross Site Scripting

-------- DESCRIPTION
---------------------------------------------------------

This module enables you to add autocomplete suggestions for search forms
created with the Search API module [3].

The module doesn't sufficiently sanitize the HTML output for the returned
suggestions, theoretically allowing an attacker to include custom HTML there.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission to create new content (or other indexed entities) and
that the search index must be configured to use the HTML filter processor.


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

   * /A CVE identifier [4] will be requested, and added upon issuance, in
     accordance with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

   * Search API Autocomplete 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed Search API
Autocomplete [5] module, there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

Install the latest version:

   * If you use the Search API Autocomplete module for Drupal 7.x, upgrade to
     Search API Autocomplete 7.x-1.3 [6]

Also see the Search API Autocomplete [7] project page.

-------- REPORTED BY
---------------------------------------------------------

   * Thomas Seidl [8] the module maintainer

-------- FIXED BY
------------------------------------------------------------

   * Thomas Seidl [9] the module maintainer

-------- COORDINATED BY
------------------------------------------------------

   * Klaus Purer [10] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].

Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and  securing your site [14].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]


[1] https://www.drupal.org/project/search_api_autocomplete
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/search_api
[4] http://cve.mitre.org/
[5] https://www.drupal.org/project/search_api_autocomplete
[6] https://www.drupal.org/node/2553485
[7] https://www.drupal.org/project/search_api_autocomplete
[8] https://www.drupal.org/u/drunken-monkey
[9] https://www.drupal.org/u/drunken-monkey
[10] https://www.drupal.org/u/klausi
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity

_______________________________________________
Security-news mailing list
Security-news em drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

----- End forwarded message -----