<html>

  <head>

    <meta http-equiv="content-type" content="text/html; charset=utf-8">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    <p><br>

    </p>

    <div class="moz-forward-container"><br>

      <br>

      -------- Mensagem encaminhada --------

      <table class="moz-email-headers-table" cellpadding="0"

        cellspacing="0" border="0">

        <tbody>

          <tr>

            <th align="RIGHT" nowrap="nowrap" valign="BASELINE">Assunto:

            </th>

            <td>[Security-news] Drupal Core - Critical - Access Bypass -

              SA-CORE-2017-002</td>

          </tr>

          <tr>

            <th align="RIGHT" nowrap="nowrap" valign="BASELINE">Data: </th>

            <td>Wed, 19 Apr 2017 17:59:35 +0000 (UTC)</td>

          </tr>

          <tr>

            <th align="RIGHT" nowrap="nowrap" valign="BASELINE">De: </th>

            <td><a class="moz-txt-link-abbreviated" href="mailto:security-news@drupal.org">security-news@drupal.org</a></td>

          </tr>

          <tr>

            <th align="RIGHT" nowrap="nowrap" valign="BASELINE">Responder

              a: </th>

            <td><a class="moz-txt-link-abbreviated" href="mailto:noreply@drupal.org">noreply@drupal.org</a></td>

          </tr>

          <tr>

            <th align="RIGHT" nowrap="nowrap" valign="BASELINE">Para: </th>

            <td><a class="moz-txt-link-abbreviated" href="mailto:security-news@drupal.org">security-news@drupal.org</a></td>

          </tr>

        </tbody>

      </table>

      <br>

      <br>

      <pre>View online: <a class="moz-txt-link-freetext" href="https://www.drupal.org/SA-CORE-2017-002">https://www.drupal.org/SA-CORE-2017-002</a>

   * Advisory ID: DRUPAL-SA-CORE-2017-002

   * Project: Drupal core [1]

   * Version: 8.x

   * Date: 2017-April-19

   * CVEID: CVE-2017-6919

   * Security risk: 17/25 ( Critical)

     AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default [2]

   * Vulnerability: Access bypass

-------- DESCRIPTION

---------------------------------------------------------

This is a critical access bypass vulnerability. A site is only affected by

this is the following conditions are met:

   * The site has the RESTful Web Services (rest) module enabled.

   * The site allows PATCH requests.

   * An attacker can get or register a user account on the site.

While we don't normally provide security releases for unsupported minor

releases [3], given the potential severity of this issue, we have also

provided an 8.2.x release to ensure that sites that have not had a chance to

update to 8.3.0 can update safely.

-------- CVE IDENTIFIER(S) ISSUED

--------------------------------------------

   * /A CVE identifier [4] will be requested, and added upon issuance, in

     accordance with Drupal Security Team processes./

-------- VERSIONS AFFECTED

---------------------------------------------------

   * Drupal 8 prior to 8.2.8 and 8.3.1.

   * Drupal 7.x is not affected.

-------- SOLUTION

------------------------------------------------------------

   * If the site is running Drupal 8.2.7 or earlier, upgrade to 8.2.8. [5]

   * If the site is running Drupal 8.3.0, upgrade to 8.3.1. [6]

Also see the Drupal core [7] project page.

-------- REPORTED BY

---------------------------------------------------------

   * Samuel Mortenson [8]

-------- FIXED BY

------------------------------------------------------------

   * Alex Pott [9] of the Drupal Security Team

   * xjm [10] of the Drupal Security Team

   * Lee Rowlands [11] of the Drupal Security Team

   * Wim Leers [12]

   * Sascha Grossenbacher [13]

   * Daniel Wehner [14]

   * Tobias Stöckler [15]

   * Nathaniel Catchpole [16] of the Drupal Security Team

-------- COORDINATED BY

------------------------------------------------------

   * The Drupal Security team

-------- CONTACT AND MORE INFORMATION

----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the

contact form at <a class="moz-txt-link-freetext" href="https://www.drupal.org/contact">https://www.drupal.org/contact</a> [17].

Learn more about the Drupal Security team and their policies [18], writing

secure code for Drupal [19], and  securing your site [20].

Follow the Drupal Security Team on Twitter at

<a class="moz-txt-link-freetext" href="https://twitter.com/drupalsecurity">https://twitter.com/drupalsecurity</a> [21]

[1] <a class="moz-txt-link-freetext" href="https://www.drupal.org/project/drupal">https://www.drupal.org/project/drupal</a>

[2] <a class="moz-txt-link-freetext" href="https://www.drupal.org/security-team/risk-levels">https://www.drupal.org/security-team/risk-levels</a>

[3] <a class="moz-txt-link-freetext" href="https://www.drupal.org/core/release-cycle-overview">https://www.drupal.org/core/release-cycle-overview</a>

[4] <a class="moz-txt-link-freetext" href="http://cve.mitre.org/">http://cve.mitre.org/</a>

[5] <a class="moz-txt-link-freetext" href="https://www.drupal.org/project/drupal/releases/8.2.8">https://www.drupal.org/project/drupal/releases/8.2.8</a>

[6] <a class="moz-txt-link-freetext" href="https://www.drupal.org/project/drupal/releases/8.3.1">https://www.drupal.org/project/drupal/releases/8.3.1</a>

[7] <a class="moz-txt-link-freetext" href="https://www.drupal.org/project/drupal">https://www.drupal.org/project/drupal</a>

[8] <a class="moz-txt-link-freetext" href="https://www.drupal.org/u/samuelmortenson">https://www.drupal.org/u/samuelmortenson</a>

[9] <a class="moz-txt-link-freetext" href="https://www.drupal.org/u/alexpott">https://www.drupal.org/u/alexpott</a>

[10] <a class="moz-txt-link-freetext" href="https://www.drupal.org/u/xjm">https://www.drupal.org/u/xjm</a>

[11] <a class="moz-txt-link-freetext" href="https://www.drupal.org/u/larowlan">https://www.drupal.org/u/larowlan</a>

[12] <a class="moz-txt-link-freetext" href="https://www.drupal.org/u/wim-leers">https://www.drupal.org/u/wim-leers</a>

[13] <a class="moz-txt-link-freetext" href="https://www.drupal.org/u/Berdir">https://www.drupal.org/u/Berdir</a>

[14] <a class="moz-txt-link-freetext" href="https://www.drupal.org/u/dawehner">https://www.drupal.org/u/dawehner</a>

[15] <a class="moz-txt-link-freetext" href="https://www.drupal.org/u/tstoeckler">https://www.drupal.org/u/tstoeckler</a>

[16] <a class="moz-txt-link-freetext" href="https://www.drupal.org/u/catch">https://www.drupal.org/u/catch</a>

[17] <a class="moz-txt-link-freetext" href="https://www.drupal.org/contact">https://www.drupal.org/contact</a>

[18] <a class="moz-txt-link-freetext" href="https://www.drupal.org/security-team">https://www.drupal.org/security-team</a>

[19] <a class="moz-txt-link-freetext" href="https://www.drupal.org/writing-secure-code">https://www.drupal.org/writing-secure-code</a>

[20] <a class="moz-txt-link-freetext" href="https://www.drupal.org/security/secure-configuration">https://www.drupal.org/security/secure-configuration</a>

[21] <a class="moz-txt-link-freetext" href="https://twitter.com/drupalsecurity">https://twitter.com/drupalsecurity</a>

_______________________________________________

Security-news mailing list

<a class="moz-txt-link-abbreviated" href="mailto:Security-news@drupal.org">Security-news@drupal.org</a>

Unsubscribe at <a class="moz-txt-link-freetext" href="https://lists.drupal.org/mailman/listinfo/security-news">https://lists.drupal.org/mailman/listinfo/security-news</a>

</pre>

    </div>

  </body>

</html>