From security em unicamp.br Wed Apr 25 13:41:03 2018 From: security em unicamp.br (CSIRT Unicamp) Date: Wed, 25 Apr 2018 13:41:03 -0300 Subject: [SECURITY-L] Fwd: [Security-news] Drupal core - Critical - Remote Code Execution - SA-CORE-2018-004 In-Reply-To: References: Message-ID: === Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - Unicamp Centro de Computacao - CCUEC GnuPG Public Key: http://www.security.unicamp.br/security.asc [^] Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830 ---------- Forwarded message ---------- From: Date: 2018-04-25 13:33 GMT-03:00 Subject: [Security-news] Drupal core - Critical - Remote Code Execution - SA-CORE-2018-004 To: security-news em drupal.org View online: https://www.drupal.org/sa-core-2018-004 Project: Drupal core [1] Date: 2018-April-25 Security risk: *Critical* 17?25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default [2] Vulnerability: Remote Code Execution Description: A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002 [3]. While SA-CORE-2018-002 is being exploited in the wild, this vulnerability is not known to be in active exploitation as of this release. Solution: Upgrade to the most recent version of Drupal 7 or 8 core. * If you are running 7.x, upgrade to Drupal 7.59 [4]. * If you are running 8.5.x, upgrade to Drupal 8.5.3 [5]. * If you are running 8.4.x, upgrade to Drupal 8.4.8 [6]. (Drupal 8.4.x isno longer supported and we don't normally provide security releases for unsupported minor releases [7]. However, we are providing this 8.4.x release so that sites can update as quickly as possible. You shouldupdate to 8.4.8 immediately, then update to 8.5.3 or the latest secure releaseas soon as possible.) If you are unable to update immediately, or if you are running a Drupal distribution that does not yet include this security release, you can attempt to apply the patch below to fix the vulnerability until you are able to update completely: * Patch for Drupal 8.x [8] (8.5.x and below) * Patch for Drupal 7.x [9] These patches will only work if your site already has the fix from SA-CORE-2018-002 [10] applied. (If your site does not have that fix, it may already be compromised [11].) Reported By: * David Rothstein [12] of the Drupal Security Team * Alex Pott [13] of the Drupal Security Team * Heine Deelstra [14] of the Drupal Security Team * Jasper Mattsson [15] Fixed By: * David Rothstein [16] of the Drupal Security Team * xjm [17] of the Drupal Security Team * Samuel Mortenson [18] of the Drupal Security Team * Alex Pott [19] of the Drupal Security Team * Lee Rowlands [20] of the Drupal Security Team * Heine Deelstra [21] of the Drupal Security Team * Pere Orga [22] of the Drupal Security Team * Peter Wolanin [23] of the Drupal Security Team * Tim Plunkett [24] * Michael Hess [25] of the Drupal Security Team * Nate Lampton [26] * Jasper Mattsson [27] * Neil Drumm [28] of the Drupal Security Team * Cash Williams [29] of the Drupal Security Team * Daniel Wehner [30] [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/sa-core-2018-002 [4] https://www.drupal.org/project/drupal/releases/7.59 [5] https://www.drupal.org/project/drupal/releases/8.5.3 [6] https://www.drupal.org/project/drupal/releases/8.4.8 [7] https://www.drupal.org/core/release-cycle-overview [8] https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=bb6d3 96609600d1169da29456ba3db59abae4b7e [9] https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=080daa3 8f265ea28444c540832509a48861587d0 [10] https://www.drupal.org/sa-core-2018-002 [11] https://www.drupal.org/psa-2018-002 [12] https://www.drupal.org/user/124982 [13] https://www.drupal.org/user/157725 [14] https://www.drupal.org/user/17943 [15] https://www.drupal.org/user/521118 [16] https://www.drupal.org/user/124982 [17] https://www.drupal.org/user/65776 [18] https://www.drupal.org/user/2582268 [19] https://www.drupal.org/user/157725 [20] https://www.drupal.org/user/395439 [21] https://www.drupal.org/user/17943 [22] https://www.drupal.org/user/2301194 [23] https://www.drupal.org/user/49851 [24] https://www.drupal.org/user/241634 [25] https://www.drupal.org/user/102818 [26] https://www.drupal.org/user/35821 [27] https://www.drupal.org/user/521118 [28] https://www.drupal.org/user/3064 [29] https://www.drupal.org/user/421070 [30] https://www.drupal.org/user/99340 _______________________________________________ Security-news mailing list Security-news em drupal.org Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From security em unicamp.br Thu Apr 26 08:42:56 2018 From: security em unicamp.br (CSIRT Unicamp) Date: Thu, 26 Apr 2018 08:42:56 -0300 Subject: [SECURITY-L] Fwd: [SECURITY] [DSA 4180-1] drupal7 security update In-Reply-To: References: Message-ID: ---------- Forwarded message ---------- From: Salvatore Bonaccorso Date: 2018-04-25 17:13 GMT-03:00 Subject: [SECURITY] [DSA 4180-1] drupal7 security update To: debian-security-announce em lists.debian.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4180-1 security em debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 25, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : drupal7 CVE ID : CVE-2018-7602 Debian Bug : 896701 A remote code execution vulnerability has been found in Drupal, a fully-featured content management framework. For additional information, please refer to the upstream advisory at https://www.drupal.org/sa-core-2018-004 For the oldstable distribution (jessie), this problem has been fixed in version 7.32-1+deb8u12. For the stable distribution (stretch), this problem has been fixed in version 7.52-2+deb9u4. We recommend that you upgrade your drupal7 packages. For the detailed security status of drupal7 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/drupal7 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce em lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlrg1NVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Qsaw/+MUBRyJRiMPeFg5wk+1wjZcZAf55OIkeJb9QgJoI4rshAQf7aB+gi7O0z 3r/0Q+IOTXh3VtCLWKOCg4kSDd03OZhVGVYwlkaZ3GyvVSD5WFhphtWV7p6ePzcm DbR4B1gOiDGR5MsWXw6PWxBuhgsppTVFXmyrA6hloEebIKXKwDU3HY5h2ZpBoAR8 GYjk3SQZbuODkjRZitPKxiu0fBriN5qz/tIhvMGjNFZHmJ3UVF877gou6kD2cV36 WjgUWhzg+JxZ/9gQ5aKzuO4yMBlaXuNCsIxvuEU3Gw3FeJIA/Sos0iGgvXR7p7iE PBtKWisc0z1f0Vt48jxR22C6sfvoxzrVjRD3ylwYMZPR2CkFoklKPGNC9Plfj5mG KcKOSAIfIv/1dXCDsddjY8zIrvTaJGokHmdkeNDTNFVfcEcDT5/vDwstWwBVheq6 7uFoJvHkWp+/oL4ysZT7pAk5Z+Lg1dkZ2IBxI7nJILPx81SIGzK0yGrrmTOVwtfZ L7xlFSQMDIhu9941GOZu8OC/gLQGqdsnNr28Bl2rMcZfAHwgCVkzof61kAi3eddG X/WC1EufxfLgJodRPuOuBsoxBDa76uli0vV2oh0DECD2oehMVEuDckr3q2npWWJ/ UNEOzBuxkWWO+HI2lwaNuKXkJQYlFoeHJKQvaHe97Ofsyvmut/Q= =Xddc -----END PGP SIGNATURE----- -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: