Skip to Content.
Sympa Menu

cv-announce-l - [cv-announce-l] Drupal Vulnerabilities (SA-CORE-2019-005 & SA-CORE-2019-006)

Please Wait...

cv-announce-l@list.iu.edu

Subject: cv alerts list

List archive

[cv-announce-l] Drupal Vulnerabilities (SA-CORE-2019-005 & SA-CORE-2019-006)


Chronological Thread  
  • From: Andrew K Adams <akadams@psc.edu>
  • To: cv-announce@trustedci.org
  • Cc: "Andrew K. Adams" <akadams@psc.edu>
  • Subject: [cv-announce-l] Drupal Vulnerabilities (SA-CORE-2019-005 & SA-CORE-2019-006)
  • Date: Tue, 23 Apr 2019 16:48:11 -0400
  • Authentication-results: external-relay.indiana.edu; spf=PermError smtp.pra=akadams@psc.edu; spf=SoftFail smtp.mailfrom=akadams@psc.edu; spf=None smtp.helo=postmaster@relay11.mail.gandi.net
  • Ironport-phdr: 9a23:I3XFnxcPCpnvUVqHIZEtZbuulGMj4u6mDksu8pMizoh2WeGdxcSzbR7h7PlgxGXEQZ/co6odzbaP6ua8CSdZusfJmUtBWaQEbwUCh8QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYdFRrlKAV6OPn+FJLMgMSrzeCy/IDYbxlViDanbr5+MQi6oR/eu8QVjoduN6g8xx/UqXZUZupawn9lK0iOlBjm/Mew+5Bj8yVUu/0/8sNLTLv3caclQ7FGFToqK2866tHluhnFVguP+2ATUn4KnRpSAgjK9w/1U5HsuSbnrOV92S2aPcrrTbAoXDmp8qlmRAP0hCoBKjU063/chNBug61HoRKhvx1/zJDSYIGJL/p1Y6fRccoHSWZdQspdUipMCZ6+YYQSFeoMJelXoYnzqVUNsBWwGxWjCfj1xTNUnHL7x7E23/gjHAzAwQcuH8gOsHPRrNjtKKoSV/26zLPWwjTNcvhY3Cr25ZTVfR87pPGMRq97fM3LxkksDQzKk0+fqYn+Pz6OzuQNqHSU4/B+Wu2ylm4qsgd8qSWhyMcrj4nGnIMVylbc+CV8wYY1Oce4R1Bhbd6jCptQuDmWOJZsQsM/W2FnoiI6xqcctZ68ZigKx4wryAPFa/yaa4iH+BbjWPyWITdii3JpYKm/hha38Uiuze38UMm13ExWoSpCl9nArmwN1wbO6sicVvty4Fqu1iqO1wzJ7eFEO080mKzGIJAi2r49joQfvVnBEyPsmkj6kLWaelgm9+Wr8ejrfLvrqoKEO4Nqlg3zNr4il8+/DOgiLAQCQXaX9f682bDs+0DyXa9EgecskqbDtZDXPcQbqbC9Aw9Syosj8QiwDzO839UYgHULMUhJeBedgIjoP1HCOv/4Au25g1uxkTdn3fbGMaP9ApnVL3jDlqnufapl5kJC1QY+z8pT6pBIBr0bPf7+WEz8uMbGAhI3LgC42+PnB8981oMaV2KPGKiZMKbKvFCS5eIgOfSDa5UQuDbmMPUl/+XugmMjlVADYKapwIMbaGqkEfR+P0WZfX3sj88dHmcUpwYxVurqiFuFUT5OYXa9Q7wz6ig/CI+9CYfDR5utgKCb0Ce6A51afH5JBU2RESSgS4LRUOlJYSSUJdJnmTEsSaK8UJMs2Rqv8gjgxOlJNO3RrwQeuYjuy5BWr8TfnBQpvWh9DM2R2mSWZ3lvlSUFSyJgj/M3mlB01lrWifswuPdfD9EGoqoRCl1gZ7fB0+x3DczzUQvdf9CPDWyrWciiHSpoEI5jzs8Sblx7EtHnlB3H1jvsArkZlrWNDdo5/r+Pl2PpKZNFxmzD+bM7iENuWc5TLSu+nKcq/gvaC4fMiG2BjK3seKgBj2bW7GnW9m2AoG9RUQo4SqDZRTYab0rSo87+4xbLTLaiALE8GhNawoiPJrYZIsbxgwBgQ/HucM/bf3r3m2q0AkOQwaiQaYPxZ2gH9D/QDEEVyllV+H+HMU4xDyGtoiTYASA3TwDVbkjh8PdzpDaAdmFon17YV0B70pev4BkPzbyRW+8exLQNvGI7pjF9DRC82d7XAtyJ4QdtYfcUato75lBbsACR/wd6JIatJLxmlxYfdRh6pVv02gk/EYhGncUw5Ho30Ap/L76Z21JdZnuZ2573ILjeNmj1+lihcanTvzOWmNqR/64O7rw/pR3qvwilH08522182J9Y32bdrpTGAQwOUI7gB14t/ksfxfmSaS086oXIkHx0ZPPt7Xmdg5RwW7tjkE35LLI9eOueGQT/EtMXHZ2jOPAngV6galceMeRb5eg1Oc+nfv2PnqOnIbUF/nrugGJZ7YR6yk/J+TB7T7uC1pUMz/idxSOfTDy6gVu8+JO/icVfaDceE3DqgyHnDYJYY7ZaZZ0AT2qiPofko7c2z46oUHle+lm5AloA08L8YhueYWv22ghI3FgWq3iqymOoiiZ5mDYzou+DzTTDlq78IQEfNDQNHCMx6DWkaZjxld0RW1KkKhQkhAfwr1iv3LBV/uInaHHJSA9Nb2D3Nz0wC/Hg8OPSOYgXrstv6HsyMqz0YEjGGOes+V1Di3qlRjAPgmh8LW3iu42nzUYi0DvPcXsj/iieIpsVp1+X5drXQeNd02gxXzF2zzbQAVe4Mp+i+tDclpHItv2yWjCsDJhaNy/m0cuWvS+/rzQwUyeylP2yhNDrVDMC/3OrjItRUivUgh/9ZsGr2rSmPPhhd00tHlL44ts8G4dyk4I2jdcd1WVIzpmS+HMGly/0P7A5ker3b3MBTDsQ68bO607o1FArL2nBxoTyUnSbz8cpe97yZGQKki4w9MFFDq6I4fQexHQz/QL+9F2BJ6Imx1J/gbMn8zYCjvsMuRYxwynVGb0UEURCfGTtmxmO89GivfBSbWerf6K30Rkb/5jpB7WDrwdAHXfhL817QmkvtoMmbwKKiiaqueSGMJHKYNketwOZiULNn/RYMpQ4kr8QiC5uKCT8u3EkwugyyxFiwMLf3sDPJmNz8aa+GhMdOCfyYpZZ8zLkga9bhe6OxIvpE5l8UGZDTN7zQPSkHShH//3kPgqHFSYUsmyQX7fTAEXMjSUu52KKGJetOXaNIXAfxtg3XxiRKntUhwUMVSk7lJo0RUi6gdbse0Bj6nUN90b1/1FSn/lwOUC1AQK97E+4Ly05Q5+FIF9K4xFesg3LZNeG4Ls7GjEQ/4X9/lXXeirCN14OVSdRHRXaYjKrdri2uYuZorLeX7LnaaKVMPPW7rYCH/aQm8D1itM/rWuBZpfdeSI4ap9zkktFVnRkF8mLrC4XRWoYkCXCa8PdrxC5sixxpcSi/Pm5VVjq7M2JBqcaJ9xr/1rv2/W5OuWdhTh0JXNj7r1XniGa7r8Z0RZShjFyeiOrGLBFryPJRbOWm6lbDhcdYmV+ONYap6Q7lhJAP8LWkLaXnvZxk+I1BlFZVFfghtDhZMoEJHu4PU/GA0DDPaqPJDnCycX6Ka2mTrgYgOJRvhy28TGVdi2rdiyEjCXsXguzPPtkliyfNQ0H4ce4exdpT2fqSt7nLBu2LJ4/jDE7x6E1mmKfNWMYNmsZEQsFpbmR4CVEx/RnTjYYsTw6da/dxHbftbKBefN0+bNxDy95lvxX+iE326dY9idNQLlvlS/bv5hvpV2nm++GjDdrTUkryH4DiYSVsEFlIaic+INHXCOO9REE4WyVEDwSvNAjB9Hy8fM1qJCHhOfoJTFO/siBt9MbHNTRIdmbPWAJKxftES+NVU0ARD+vc27WgUBc1vef6jfGy/py4oipk50IRLhBUVUzHf5PEUVpEusJJ5JvVy8lm7qW1Z9a1T+FtBDUAf5ikNXCX/OWD+/oLWfLlaJPIRYE3OGjdNlBBsjAw0VnL2JCssHKFk7XB4wfuCBlZx5t+QNI+Xl6CGI63U7kLAWg/C1LTKLmrlsNkgJ7JN8V2nL0+V5mdELRr209nFRjx9g=

CI Operators:


Drupal's maintainers announced two moderately critical vulnerabilities in third-party toolkits used by Drupal Core. SA-CORE-2019-005 [1] describes three issues [2][3][4] related to insufficient sanitization/validation/processing of data in the Symfony Framework. SA-CORE-2019-006 [5] relates to a vulnerability in JQuery [6] which could be exploitable with several Drupal modules.


Impact:

The most serious vulnerabilities in SA-CORE-2019-005 and in SA-CORE-2019-006 would enable a malicious user to execute arbitrary code.


Affected Software:

Drupal 8.6.x < 8.6.15

Drupal 8.5.x < 8.5.15 (Note, versions of Drupal 8 prior to 8.5.x are end-of-life.)

Drupal 7.x < 7.66 (Note, Drupal 7 is only affected by the SA-CORE-2019-006)


Recommendation:

Upgrade to the latest version of Drupal 8.

Drupal 8.6. : https://www.drupal.org/project/drupal/releases/8.6.15

Drupal 8.5. : https://www.drupal.org/project/drupal/releases/8.5.15

Drupal 7: https://www.drupal.org/project/drupal/releases/7.66


References:

[1] https://www.drupal.org/sa-core-2019-005

[2] https://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-templating-engine

[3] https://symfony.com/blog/cve-2019-10910-check-service-ids-are-valid

[4] https://symfony.com/blog/cve-2019-10911-add-a-separator-in-the-remember-me-cookie-hash

[5] https://www.drupal.org/sa-core-2019-006

[6] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358


How Trusted CI can help:
The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI can not provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (http://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.


  • [cv-announce-l] Drupal Vulnerabilities (SA-CORE-2019-005 & SA-CORE-2019-006), Andrew K Adams, 04/23/2019

Archive powered by MHonArc 2.6.24.

Top of Page