From security em unicamp.br Wed May 12 14:20:46 2021 From: security em unicamp.br (CSIRT Unicamp) Date: Wed, 12 May 2021 14:20:46 -0300 Subject: [SECURITY-L] Fwd: [Security-news] Gutenberg - Critical - Cross site scripting - SA-CONTRIB-2021-007 In-Reply-To: References: Message-ID: Prezados. View online: https://www.drupal.org/sa-contrib-2021-007 Project: Gutenberg [1] Version: 8.x-2.x-dev8.x-1.x-dev Date: 2021-May-12 Security risk: *Critical* 18?25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross site scripting Description: This module provides a new UI experience for node editing using the Gutenberg Editor library. The module did not correctly validate access rules in certain situations allowing anonymous users to delete blocks. Solution: Install the latest version: * If you use the Gutenberg module 8.x-1.x, upgrade to 8.x-1.12 [3] * If you use the Gutenberg module 8.x-2.x, upgrade to 8.x-2.0 [4] * For roles other than administrator, the "Administer Gutenberg" (8.x-1.x) or the "Use Gutenberg" (8.x-2.x) permission must be given to view and delete reusable blocks. Reported By: * Stephan Zeidler [5] * Mariusz Andrzejewski [6] Fixed By: * Stephan Zeidler [7] * codebymikey [8] * Marco Fernandes [9] Coordinated By: * Damien McKenna [10] of the Drupal Security Team [1] https://www.drupal.org/project/gutenberg [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/gutenberg/releases/8.x-1.12 [4] https://www.drupal.org/project/gutenberg/releases/8.x-2.0 [5] https://www.drupal.org/user/767652 [6] https://www.drupal.org/user/3517832 [7] https://www.drupal.org/user/767652 [8] https://www.drupal.org/user/3573206 [9] https://www.drupal.org/user/2127558 [10] https://www.drupal.org/u/damienmckenna _______________________________________________ Security-news mailing list Security-news em drupal.org Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news === Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - Unicamp Centro de Computacao - CCUEC GnuPG Public Key: http://www.security.unicamp.br/security.asc [^] Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830 -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From security em unicamp.br Tue May 25 15:09:49 2021 From: security em unicamp.br (CSIRT Unicamp) Date: Tue, 25 May 2021 15:09:49 -0300 Subject: [SECURITY-L] [Security-news] Off Cycle Drupal Core Security Release - PSA-2021-05-25 In-Reply-To: References: Message-ID: View online: https://www.drupal.org/psa-2021-05-25 Date: 2021-May-25 Description: There will be a security release of Drupal Core 8.9.x, and 9.1.x on May 26th, 2021 between 16:00 - 18:00 UTC. This Public Service Advisory is to notify that the Drupal core release is outside of the regular schedule of security releases. For all security updates, the Drupal Security Team urges you to reserve time for core updates at that time because there is some risk that exploits might be developed within hours or days. Security release announcements will appear on the Drupal.org security advisory page. The security risk of the advisory is currently rated as Moderately Critical. This is not a mass-exploitable vulnerability as far as the security team is currently aware. Given that this is a moderately critical vulnerability and is not believed to be mass exploitable it is not covered by Drupal Steward partners. [1] [1] https://www.drupal.org/drupal-security-team/steward _______________________________________________ Security-news mailing list Security-news em drupal.org Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news === Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - Unicamp Centro de Computacao - CCUEC GnuPG Public Key: http://www.security.unicamp.br/security.asc [^] Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830 -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From security em unicamp.br Thu May 27 09:12:55 2021 From: security em unicamp.br (CSIRT Unicamp) Date: Thu, 27 May 2021 09:12:55 -0300 Subject: [SECURITY-L] [RHSA-2021:2139-01] Critical: Red Hat Data Grid 8.2.0 security update In-Reply-To: <202105262151.14QLpJkK014452@lists01.pubmisc.prod.ext.phx2.redhat.com> References: <202105262151.14QLpJkK014452@lists01.pubmisc.prod.ext.phx2.redhat.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat Data Grid 8.2.0 security update Advisory ID: RHSA-2021:2139-01 Product: Red Hat JBoss Data Grid Advisory URL: https://access.redhat.com/errata/RHSA-2021:2139 Issue date: 2021-05-26 CVE Names: CVE-2020-10771 CVE-2020-26258 CVE-2020-26259 CVE-2021-21290 CVE-2021-21295 CVE-2021-21341 CVE-2021-21342 CVE-2021-21343 CVE-2021-21344 CVE-2021-21345 CVE-2021-21346 CVE-2021-21347 CVE-2021-21348 CVE-2021-21349 CVE-2021-21350 CVE-2021-21351 CVE-2021-21409 CVE-2021-31917 ===================================================================== 1. Summary: A security update for Red Hat Data Grid is now available. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Data Grid is a distributed, in-memory data store. This release of Red Hat Data Grid 8.2.0 serves as a replacement for Red Hat Data Grid 8.1.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * Infinispan: Authentication bypass on REST endpoints when using DIGEST authentication mechanism (CVE-2021-31917) * XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet (CVE-2021-21344) * XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry (CVE-2021-21345) * XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue (CVE-2021-21346) * XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator (CVE-2021-21347) * XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader (CVE-2021-21350) * Infinispan: Actions with effects should not be permitted via GET requests using REST API (CVE-2020-10771) * XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling (CVE-2020-26258) * XStream: arbitrary file deletion on the local host when unmarshalling (CVE-2020-26259) * netty: Information disclosure via the local system temporary directory (CVE-2021-21290) * netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295) * XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream (CVE-2021-21341) * XStream: SSRF via crafted input stream (CVE-2021-21342) * XStream: arbitrary file deletion on the local host via crafted input stream (CVE-2021-21343) * XStream: ReDoS vulnerability (CVE-2021-21348) * XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host (CVE-2021-21349) * XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream (CVE-2021-21351) * netty: Request smuggling via content-length header (CVE-2021-21409) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1846293 - CVE-2020-10771 Infinispan: Actions with effects should not be permitted via GET requests using REST API 1908832 - CVE-2020-26258 XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling 1908837 - CVE-2020-26259 XStream: arbitrary file deletion on the local host when unmarshalling 1927028 - CVE-2021-21290 netty: Information disclosure via the local system temporary directory 1937364 - CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation 1942539 - CVE-2021-21341 XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream 1942545 - CVE-2021-21342 XStream: SSRF via crafted input stream 1942550 - CVE-2021-21343 XStream: arbitrary file deletion on the local host via crafted input stream 1942554 - CVE-2021-21344 XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet 1942558 - CVE-2021-21345 XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry 1942578 - CVE-2021-21346 XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue 1942629 - CVE-2021-21347 XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator 1942633 - CVE-2021-21348 XStream: ReDoS vulnerability 1942635 - CVE-2021-21349 XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host 1942637 - CVE-2021-21350 XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader 1942642 - CVE-2021-21351 XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream 1944888 - CVE-2021-21409 netty: Request smuggling via content-length header 1955113 - CVE-2021-31917 Infinispan: Authentication bypass on REST endpoints when using DIGEST authentication mechanism 5. References: https://access.redhat.com/security/cve/CVE-2020-10771 https://access.redhat.com/security/cve/CVE-2020-26258 https://access.redhat.com/security/cve/CVE-2020-26259 https://access.redhat.com/security/cve/CVE-2021-21290 https://access.redhat.com/security/cve/CVE-2021-21295 https://access.redhat.com/security/cve/CVE-2021-21341 https://access.redhat.com/security/cve/CVE-2021-21342 https://access.redhat.com/security/cve/CVE-2021-21343 https://access.redhat.com/security/cve/CVE-2021-21344 https://access.redhat.com/security/cve/CVE-2021-21345 https://access.redhat.com/security/cve/CVE-2021-21346 https://access.redhat.com/security/cve/CVE-2021-21347 https://access.redhat.com/security/cve/CVE-2021-21348 https://access.redhat.com/security/cve/CVE-2021-21349 https://access.redhat.com/security/cve/CVE-2021-21350 https://access.redhat.com/security/cve/CVE-2021-21351 https://access.redhat.com/security/cve/CVE-2021-21409 https://access.redhat.com/security/cve/CVE-2021-31917 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=data.grid&version=8.2 https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.2/html/upgrading_data_grid/ 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYK7C1tzjgjWX9erEAQiWPg/9HusdDg2N/WJPUeZSoFsYXgm5XgNzleJH 5999VYyebIKZSEAkgPKZOoIAQGoZtVRdqdtGONYMMJfQbNq+5xLiR6jNjF5BSkzN cOAX1R9RtDekdeedVWR1dNf/lX9/Y2h5buNrwEoRimwva7z7lDlC6w9aNhtYgNk4 NIt5WeeNaXirq+lPi2KhMIoQTr+RSrPIcYyOXTtpV1N9ocx20VIXU71OCkoouA7h UzyVojxMpLzT+H93sgqnGDgrMcxraJdGhdl7zVKiCIN1KHVq8rduB78bjQTDMiVN f2cvHUMMIY52ZMmbsMzz9ExEWKurclyiQpWsJcAzq4/n1DL+ojr+a9Ir57Rar19y a86/mnroUPc4M6nNH0HeA6StZgt6+WVHZ/wlTTKRB9C1l40kZOahj/Te0jrgiDj2 g2G9S7gkF167IcmFpXFgqjxRH40FI33fX3uM1sdbZefW86EyDIc/VD5GAI9KKY4x 6oodgPg5XeLvc+Esl9UN14rtaSkY26PQriunwEluYzybmp1ZWJO18Ow8UqTavpPk Y2ubqvXOFhPCBSQCCdxXMpM83fymqhyh1xoZn0LWlVDX5UcEsfYRtANNtkYIsFTn YZF2CNYjSaTwiy9/eOB18+tnPjIBHWlkOZngUuP1QzHceAiUEWix+pHiqDZnrCMm WjIkSEGjy/g= =vmHt -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce em redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce === Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - Unicamp Centro de Computacao - CCUEC GnuPG Public Key: http://www.security.unicamp.br/security.asc [^] Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830 -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From security em unicamp.br Thu May 27 09:14:08 2021 From: security em unicamp.br (CSIRT Unicamp) Date: Thu, 27 May 2021 09:14:08 -0300 Subject: [SECURITY-L] [Security-news] Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2021-003 In-Reply-To: References: Message-ID: View online: https://www.drupal.org/sa-core-2021-003 Project: Drupal core [1] Date: 2021-May-26 Security risk: *Moderately critical* 14?25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default [2] Vulnerability: Cross Site Scripting Description: Drupal core uses the third-party CKEditor library. This library has an error in parsing HTML that could lead to an XSS attack. CKEditor 4.16.1 and later include the fix. Users of the CKEditor library via means other than Drupal core should update their 3rd party code (e.g. the WYSIWYG module for Drupal 7). The Drupal Security Team policy is not to alert for issues affecting 3rd party libraries unless those are shipped with Drupal core. See DRUPAL-SA-PSA-2016-004 for more details [3]. This issue is mitigated by the fact that it only affects sites with CKEditor enabled. Solution: Install the latest version: * If you are using Drupal 9.1, update to Drupal 9.1.9 [4]. * If you are using Drupal 9.0, update to Drupal 9.0.14 [5]. * If you are using Drupal 8.9, update to Drupal 8.9.16 [6]. Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage. Reported By: * Or Sahar [7] Fixed By: * Greg Knaddison [8] of the Drupal Security Team * Jess [9] of the Drupal Security Team * Krzysztof Krzton [10] * Lee Rowlands [11] of the Drupal Security Team * Michael Hess [12] of the Drupal Security Team [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/psa-2016-004 [4] https://www.drupal.org/project/drupal/releases/9.1.9 [5] https://www.drupal.org/project/drupal/releases/9.0.14 [6] https://www.drupal.org/project/drupal/releases/8.9.16 [7] https://www.drupal.org/user/3676145 [8] https://www.drupal.org/user/36762 [9] https://www.drupal.org/user/65776 [10] https://www.drupal.org/user/3618903 [11] https://www.drupal.org/user/395439 [12] https://www.drupal.org/user/102818 _______________________________________________ Security-news mailing list Security-news em drupal.org Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news === Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - Unicamp Centro de Computacao - CCUEC GnuPG Public Key: http://www.security.unicamp.br/security.asc [^] Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830 -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: