From security em unicamp.br Mon Dec 12 15:40:04 2016 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 12 Dec 2016 15:40:04 -0200 Subject: [SECURITY-L] [security-news@drupal.org: [Security-news] High-performance JavaScript callback handler - Highly Critical - Multiple vulnerabilities - SA-CONTRIB-2016-063] Message-ID: <20161212174004.GD4699@unicamp.br> ----- Forwarded message from security-news em drupal.org ----- Date: Wed, 7 Dec 2016 19:36:35 +0000 (UTC) From: security-news em drupal.org To: security-news em drupal.org Subject: [Security-news] High-performance JavaScript callback handler - Highly Critical - Multiple vulnerabilities - SA-CONTRIB-2016-063 View online: https://www.drupal.org/node/2833790 * Advisory ID: DRUPAL-SA-CONTRIB-2016-063 * Project: High-performance JavaScript callback handler [1] (third-party module) * Version: 7.x * Date: 2016-December-07 * Security risk: 22/25 ( Highly Critical) AC:None/A:None/CI:All/II:All/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting, Access bypass, Cross Site Request Forgery, Open Redirect, Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- The High-performance JavaScript callback handler module is a light weight callback to bypass most, if not all, of Drupal's bootstrapping process to achieve improved performance. The module does not sufficiently check whether or not a callback is being properly accessed or filtering for potential XSS or CSRF exploits. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * High-performance JavaScript callback handler (js) 7.x-1.x versions prior to 7.x-2.1. Drupal core is not affected. If you do not use the contributed High-performance JavaScript callback handler [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the js module for Drupal 7.x, upgrade to js 7.x-2.1 [5] *Note:* this upgrade is not backwards compatible with 7.x-1.x. Existing contrib and custom module implementations of this API will either need to be upgraded, replaced or removed. Also see the High-performance JavaScript callback handler [6] project page. -------- REPORTED BY --------------------------------------------------------- * Anthony Leach (anthonyleach) [7] -------- FIXED BY ------------------------------------------------------------ * Mark Carver (markcarver) [8] - module maintainer -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] https://www.drupal.org/project/js [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/js [5] https://www.drupal.org/project/js/releases/7.x-2.1 [6] https://www.drupal.org/project/js [7] https://www.drupal.org/u/anthonyleach [8] https://www.drupal.org/u/markcarver [9] https://www.drupal.org/u/mlhess [10] https://www.drupal.org/contact [11] https://www.drupal.org/security-team [12] https://www.drupal.org/writing-secure-code [13] https://www.drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity _______________________________________________ Security-news mailing list Security-news em drupal.org Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news ----- End forwarded message ----- From security em unicamp.br Wed Dec 14 08:41:47 2016 From: security em unicamp.br (CSIRT Unicamp) Date: Wed, 14 Dec 2016 08:41:47 -0200 Subject: [SECURITY-L] Joomla! 3.6.5 Released - Security fixes Message-ID: <9fec649e-3692-b198-b4c7-7f3141a2d815@unicamp.br> Joomla! 3.6.5 is now available. This is a security release for the 3.x series of Joomla! which addresses three security vulnerabilities, miscellaneous security hardening and three bug fixes; no further changes have been made compared to the Joomla! 3.6.4 release. We strongly recommend that you update your sites. What's in 3.6.5 ----------------- Version 3.6.5 is released to address three security issues, miscellaneous security hardening and three bugs. Security Issues Fixed ----------------- High Priority - Core - Elevated Privileges (affecting Joomla! 1.6.0 through 3.6.4) Low Priority - Core - Shell Upload (affecting Joomla! 3.0.0 through 3.6.4) Low Priority - Core - Information Disclosure (affecting Joomla! 3.0.0 through 3.6.4) Security Hardening Bug Fixes ----------------- [#12817] Fix Joomla Updater for Windows Users [#12984] Fix installation language for sr-YU [#12589] and [#13127] Fix default values for user creation on installation Please see the documentation wiki for FAQ?s regarding the 3.6.5 release. https://docs.joomla.org/Category:Version_3.6.5_FAQ Download ----------------- Please visit https://downloads.joomla.org/ and select the appropriate version for your use. From security em unicamp.br Mon Dec 12 15:40:07 2016 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 12 Dec 2016 17:40:07 -0000 Subject: [SECURITY-L] [security-news@drupal.org: [Security-news] High-performance JavaScript callback handler - Highly Critical - Multiple vulnerabilities - SA-CONTRIB-2016-063] Message-ID: <20161212174004.GD4699@unicamp.br> ----- Forwarded message from security-news em drupal.org ----- Date: Wed, 7 Dec 2016 19:36:35 +0000 (UTC) From: security-news em drupal.org To: security-news em drupal.org Subject: [Security-news] High-performance JavaScript callback handler - Highly Critical - Multiple vulnerabilities - SA-CONTRIB-2016-063 View online: https://www.drupal.org/node/2833790 * Advisory ID: DRUPAL-SA-CONTRIB-2016-063 * Project: High-performance JavaScript callback handler [1] (third-party module) * Version: 7.x * Date: 2016-December-07 * Security risk: 22/25 ( Highly Critical) AC:None/A:None/CI:All/II:All/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting, Access bypass, Cross Site Request Forgery, Open Redirect, Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- The High-performance JavaScript callback handler module is a light weight callback to bypass most, if not all, of Drupal's bootstrapping process to achieve improved performance. The module does not sufficiently check whether or not a callback is being properly accessed or filtering for potential XSS or CSRF exploits. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * High-performance JavaScript callback handler (js) 7.x-1.x versions prior to 7.x-2.1. Drupal core is not affected. If you do not use the contributed High-performance JavaScript callback handler [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the js module for Drupal 7.x, upgrade to js 7.x-2.1 [5] *Note:* this upgrade is not backwards compatible with 7.x-1.x. Existing contrib and custom module implementations of this API will either need to be upgraded, replaced or removed. Also see the High-performance JavaScript callback handler [6] project page. -------- REPORTED BY --------------------------------------------------------- * Anthony Leach (anthonyleach) [7] -------- FIXED BY ------------------------------------------------------------ * Mark Carver (markcarver) [8] - module maintainer -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] https://www.drupal.org/project/js [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/js [5] https://www.drupal.org/project/js/releases/7.x-2.1 [6] https://www.drupal.org/project/js [7] https://www.drupal.org/u/anthonyleach [8] https://www.drupal.org/u/markcarver [9] https://www.drupal.org/u/mlhess [10] https://www.drupal.org/contact [11] https://www.drupal.org/security-team [12] https://www.drupal.org/writing-secure-code [13] https://www.drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity _______________________________________________ Security-news mailing list Security-news em drupal.org Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news ----- End forwarded message ----- From security em unicamp.br Wed Dec 14 08:41:50 2016 From: security em unicamp.br (CSIRT Unicamp) Date: Wed, 14 Dec 2016 10:41:50 -0000 Subject: [SECURITY-L] Joomla! 3.6.5 Released - Security fixes Message-ID: <9fec649e-3692-b198-b4c7-7f3141a2d815@unicamp.br> Joomla! 3.6.5 is now available. This is a security release for the 3.x series of Joomla! which addresses three security vulnerabilities, miscellaneous security hardening and three bug fixes; no further changes have been made compared to the Joomla! 3.6.4 release. We strongly recommend that you update your sites. What's in 3.6.5 ----------------- Version 3.6.5 is released to address three security issues, miscellaneous security hardening and three bugs. Security Issues Fixed ----------------- High Priority - Core - Elevated Privileges (affecting Joomla! 1.6.0 through 3.6.4) Low Priority - Core - Shell Upload (affecting Joomla! 3.0.0 through 3.6.4) Low Priority - Core - Information Disclosure (affecting Joomla! 3.0.0 through 3.6.4) Security Hardening Bug Fixes ----------------- [#12817] Fix Joomla Updater for Windows Users [#12984] Fix installation language for sr-YU [#12589] and [#13127] Fix default values for user creation on installation Please see the documentation wiki for FAQ?s regarding the 3.6.5 release. https://docs.joomla.org/Category:Version_3.6.5_FAQ Download ----------------- Please visit https://downloads.joomla.org/ and select the appropriate version for your use.