cv-announce-l@list.iu.edu
Subject: cv alerts list
List archive
- From: Andrew K Adams <akadams@psc.edu>
- To: cv-announce@trustedci.org
- Cc: "Andrew K. Adams" <akadams@psc.edu>
- Subject: [cv-announce-l] Drupal Vulnerability (SA-CORE-2019-003)
- Date: Wed, 20 Feb 2019 17:27:01 -0500
- Ironport-phdr: 9a23:2fpcthy4314lRufXCy+O+j09IxM/srCxBDY+r6Qd2+gXIJqq85mqBkHD//Il1AaPAd2Lraocw8Pt8InYEVQa5piAtH1QOLdtbDQizfssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1JuPoEYLOksi7ze+/94HQbglSmDaxfa55IQmrownWqsQYm5ZpJLwryhvOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsDtU7s6RSqt4LtqSB/wiScIKTg58H3MisdtiK5XuQ+tqwBjz4LRZoyeKfhwcb7Hfd4CSmVPXshfWS9cDI2ic4QCFPAOMfpCooTnu1cCsRmzCA+xD+3v0D9IgXr20LUm3uQnDA7GxhIvHtwTu3rRsd74KLodXvqwzKnT0D7OaOlZ2TTn54fVaB8hpOqMUKloccrK1UYjDR3KgUiNqYH8OT6ey+oDs2+e7+V6VOKvjXYqpBxrojiy3scjkI3JipgSylDe+iV12Jo1JcelSE5gfd6rDoZfuD2bN4dsRcMiWW5otSAnwbMFoZ62ZDYGxIklyhLFafGLb5KE7g/gWeufOzt0mm5pdK+nixqs7UStzvfwW8q03VpQsCZJj9vBumoN2hDO7MWMV+Fz8V272TmV0gDe8uFELl4wlarcM5Mh2KA/lp4JvkXDHSL6gVj5gLWTdko+++io7/7rYrr8qZ+aKoB0ixvyMqIwlcyjGeg4Mw4OUHaH+emkyrHv4E/0TK9Ig/EqiKXVrZPXKMoBqqKnHwNZz54v6xOlADen1NQYk2MHLFVAeB+flYfpOEvBL+3iAve6mFShiy9rx+vaMbH7HJrCM2XDnK/7fblh805c1BYzzddH6p1IFLENOej8Wkn3tNzfEx85NRC7zPj+BNV5zY4eXWOPArSFMK/IsF+I+/gjLPeRa48I637BLK0u+bvni3k+hFkWcIG1x4YMdH20FfUgJF+WMlT2hdJUOGEGpAchBM+ioVGLVCUbM3+xVq414yoTEJmtS4rPW9b+0/S6wC6nE8gONSh9AVeWHCKtLt3cVg==
CI Operators:
Drupal's maintainers announced a critical field sanitization vulnerability[1] in Drupal Core. A site running Drupal 8 is affected if it is running RESTful Web Services which allow PATCH or POST requests, OR if it is running another web services module like JSON:API. A site running Drupal 7 is affected if it is running Services or RESTful Web Services.
Impact:
A malicious user could execute arbitrary PHP code.
Affected Software:
Drupal 8.6.x < 8.6.9
Drupal 8.5.x < 8.5.10 (Note, versions of Drupal 8 prior to 8.5.x are end-of-life.)
Drupal 7 - no core update is required, but you may need to update affected contributed modules.
Recommendation:
Upgrade to the latest version of Drupal 8.
Drupal 8.6. : https://www.drupal.org/project/drupal/releases/8.6.10
Drupal 8.5. : https://www.drupal.org/project/drupal/releases/8.5.11
References:
[1] https://www.drupal.org/sa-core-2019-003
How Trusted CI can help:
The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI can not provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (http://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.- [cv-announce-l] Drupal Vulnerability (SA-CORE-2019-003), Andrew K Adams, 02/20/2019
Archive powered by MHonArc 2.6.24.