[SECURITY-L] [Security-news] Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001

CSIRT Unicamp security em unicamp.br
Quarta Janeiro 17 16:42:28 -03 2024 

View online: https://www.drupal.org/sa-core-2024-001

Project: Drupal core [1]
Date: 2024-January-17
Security risk: *Moderately critical* 11∕25
AC:None/A:None/CI:None/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Denial of Service

Affected versions: >=8.0 <10.1.8 || >=10.2 <10.2.2
Description:
The Comment module allows users to reply to comments. In certain cases, an
attacker could make comment reply requests that would trigger a denial of
service (DOS).

Sites that do not use the Comment module are not affected.

Solution:
Install the latest version:

   * If you are using Drupal 10.2, update to Drupal 10.2.2 [3].
   * If you are using Drupal 10.1, update to Drupal 10.1.8 [4].

All versions of Drupal 10 prior to 10.1 are end-of-life and do not receive
security coverage. (Drupal 8 [5] and Drupal 9 [6] have both reached
end-of-life.)

Drupal 7 is not affected.

Reported By:
   * Alexander Antonenko [7]
   * Doug Green [8]

Fixed By:
   * Lee Rowlands [9] of the Drupal Security Team
   * Benji Fisher [10] of the Drupal Security Team
   * Juraj Nemec [11] of the Drupal Security Team
   * xjm [12] of the Drupal Security Team
   * Lauri Eskola [13], provisional member of the Drupal Security Team


[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/10.2.2
[4] https://www.drupal.org/project/drupal/releases/10.1.8
[5] https://www.drupal.org/psa-2021-06-29
[6] https://www.drupal.org/psa-2023-11-01
[7] https://www.drupal.org/user/225734
[8] https://www.drupal.org/user/29191
[9] https://www.drupal.org/user/395439
[10] https://www.drupal.org/user/683300
[11] https://www.drupal.org/user/272316
[12] https://www.drupal.org/user/65776
[13] https://www.drupal.org/user/1078742

_______________________________________________
Security-news mailing list
Security-news em drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news


===
Computer Security Incident Response Team - CSIRT
Universidade Estadual de Campinas - Unicamp
Centro de Computacao - CCUEC
GnuPG Public Key: http://www.security.unicamp.br/security.asc [^]
Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.listas.unicamp.br/pipermail/security-l/attachments/20240117/521039dd/attachment.html>

Mais detalhes sobre a lista de discussão SECURITY-L