cv-announce-l@list.iu.edu
Subject: cv alerts list
List archive
- From: Andrew K Adams <akadams@psc.edu>
- To: cv-announce@trustedci.org
- Cc: "Andrew K. Adams" <akadams@psc.edu>
- Subject: [cv-announce-l] Drupal Vulnerability (SA-CORE-2019-007)
- Date: Fri, 10 May 2019 15:21:25 -0400
- Authentication-results: external-relay.iu.edu; spf=PermError smtp.pra=akadams@psc.edu; spf=SoftFail smtp.mailfrom=akadams@psc.edu; spf=None smtp.helo=postmaster@relay4-d.mail.gandi.net
- Ironport-phdr: 9a23:6zaevxKrtXzx6aIxptmcpTZWNBhigK39O0sv0rFitYgeL/nxwZ3uMQTl6Ol3ixeRBMOHsqsC27qd6vu+EUU7or+5+EgYd5JNUxJXwe43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6arXK99yMdFQviPgRpOOv1BpTSj8Oq3Oyu5pHfeQpFiCegbb9oLxi7rgrdutQYjIZjN6081gbHrnxUdupM2GhmP0iTnxHy5sex+J5s7SFdsO8/+sBDTKv3Yb02QaRXAzo6PW814tbrtQTYQguU+nQcSGQWnQFWDAXD8Rr3Q43+sir+tup6xSmaIcj7Rq06VDi+86tmTgLjhTwZPDAl7m7Yls1wjLpaoB2/oRx/35XUa5yROPZnY6/RYc8WSW9HU81MVSJOH5m8YpMAAOQBM+hWrJTzqUUSohalHwagGPnixyVUinPq36A31fkqHwHc3AwnGtIDqGjZrNPoO6cIT++0wrTDwzDeZP5KxDjy8o3Icgs8qvyLR71wctDexlQ1GAPAlVWdspTlPyiJ2egXrWeU8vdgWPuphmU6pQ9xpT2vyd0tionPno8V1lDF9T1+wIs7P9G4T1R7YdG8HJRNrSGaKpN2TdkmQ21yvyY60LIGtYanfCgQ1ZQn3ALfZOKafIeU4xLvTuGRIS13hH9jZbmxhA6y/FC+xuHhVMS4ylRHojZfntXRtX0A2Qbf5tWDR/Z85kutxyqD2gTJ5uxHIU04j7TXJ4A8zrIqi5Yes0DOEynrk0vslqCWbF8r+u2w5uTnfLrmopicOpduig7gNqQhgMy+DOshPgcTRWSb/P6z1Lzn/UHjT7VFlPs2nbTYsJzAI8QUuLK5DxdU0oYl9Rm/Ey+r3MoFkXQFNl5Ieg6Lg5L0N1zNLv30F+qzjlCtnTtzwvDJJLzhApHDLnjZl7fheK5w5FRfyAUp0N9Q/ZdUCqoaLfLrQU/+qMbUAQEkPAyp2+rnEsly1psCWWKTBa+UKL/dsUGR6u01JemMYogVuCv7K/c5+fHilHs5lEQZfamoxpsXdGq0HvV7I0mDf3Xjn8oBQi82uV81UqnjjluFTDhYal6uRb8n+jw3A4PgCp3MFa63h7nU9SG3BJBJLkMOI1yFFGygI4yHUvsFbTm6OtRq1DEISO7yGMcayRiyuVqimPJcJe3O93hd7Mq7joInzvDPlRw06T1/Btic1GfIdWxvg2cUXGZohPJysVBw0FGK1e1ijvhRBJpS+rVEXhppfYXEwblCBsr3dxjbec3BU1O6WpO+GzhkR9E4z9YLeG5lAN7kgxzejGKxG7FArLuFGLI986aUxH3tP4B4wnfC2rMmigwvQcJDPGi9rrZk/E7eC5Oa216BmfOMcqIRlDXI6H/FzWeKuxRAVxVsVKzeQX0FTlHbqd3ougbOCbqnCLBhPQJHxc/ELKZWM4e7t1hNSfb9NdibWFqfxzjsVy6F3LahdpDtYS1d0TXBBVICmgRW53uCPBl4Bzrnrm7DXnRlHFTpZF+k+u5ksn6wUkslqmPCJ0xny7ev4gQYmbSHRvUf06hMsTo9qzhyAFe23s7HQ9uGqQ17eaxAYNQ7qFld0meRuwt4N52mZ6ds4zxWOw10tk/n0g5fEp5L18UmsTJizQZ/L76ZzEIUbymRjtj7PrzaLHW3/Qj6MfeJnA6Glo/GoeFWuaprzjer9BukHUcj7Xh9htRFz3aG4JzOSRAfVZvgFEcqsRV2uuK/AGF16oXK2HlrKaTxvCXF3odjDegsxh+lZP9HK6jCGQPvWZ5SF421JeomlkL8JBsHNexb8bUcJ9itMfaKxeT4WYQo1CLjhmNB7odn10uK/CcpUe/E0aEOxPSA1xeGXTPx3x+x99r6kodeaXQOD3KynGL6UZVJaPc0JcxYbAXma93y3Nh1gIThHmJV5EL2TU1Tw9enI1zKKETn1EVVxQwWuSD1wHHoiWUkyXdx6PLYhXKroayqdQJbaDcaHi871Q6qeNPlyYhdBhTgbhB3xkH9vR+omqUL9vY4dDO2Iw8Afi79K3xuX/mHraKMJcFI75wsvGNcV+H0YFaRTqPxrkkXiSbqWW1T2HgtfjWu8MyjzSZ3g2+cMnt/6UHhV50vnUXk49LAa/dQ2nJGSTlkhCPRD1z5JdSt9MTSloqFv+yjBSqtUZhacC+jyo3l1mPz7G5jDRS6hNirgdahHAQnmS7gn9hsXiHJqhvwKpXsn6K9Laprc1JpC1n198cyQNgh1NRowshAgj5D18vwnzJPmHy7KdhB3KPicHcBDSUGxdLY+kmt2UFuKG6I25OsU3ycxsV7YNzpBwFekik57s1MFOKV9OkexHQz/QL+9FKKJ6EswGRV0/Yl5X8EjvtctRoxwz+bC7RXB0RcND2qlgnO4tyj/8A1LC6id6a90E1mkJWvFraH90tVW3/1c5I5NTdr5YNyPE+GgzXjr5rpftXdd4dZvx6dnx7FlMBNM5l3m/YXz3kCWyq1rTguzOg1igZr1Jexsd2cKmljy6m+BwZRKjz/Y85AsiGol6tVmdyampy+Bpg0UCteR4PmFLj7dVBa/eSiLQuFFycw72uWCaaKVxHK819o9jrKA9iqLy3FfSNJi4wyHl/FYhQY2V5xPn1yn4ZlRFn7noq4KB4/v2tAoAa/8EcEy/o2ZUOnCj6N+Qr4OGVzE8L6TlIe7wdJ41rZPJ6p9fp9WS5f+ZKloUqGLWnTZgJDCXwFVx6JXVXqeL+j+ZHW+uycTLPkfcHDariPt+FSEsyw68n1j9lA+DCBfoWCLmVvFfsy3g9ZUHRwCoLYhnMCRzFF3yTKJ9WWohux4GV+s9y//fL3WQnu+ZrqafMaMNNh/AqziLuCMOjYjThwKDJR3JcBjXHSz71X0FkXgiBoPz6jdNZI/TbKV77Vk7RLAgQzcS53PdoUqq562wBMPYjUg9X51/h+g+J0Q1ZJWFr9m924MMwHJ2buUTGPTE2PNbmAOXjK25StOPz6FuUW1bUP8UTh52XTCULoMzWdmiO8WgCzPPtKhSXeJhFasZD7cwsrBGT+H7eEIlW2NsF6iTouzPg6nHTPYCQVMjFwekZWhqWL5mVVjug1SAkjpjJ1aPKJnSqU9bySMpENrf5iGTh5jcpA7XAz2ucQ4GdBTf1x3iTbqNJv5VerjqPcr1gvGAoLoTFNioWRuExkMqiM7ZhMV0HP+xcV5HmRARAH/oo3OpjUo6lVj+P3uuf2ITZG/cjT+JpOH9Pfbs+LLSh6aEe7KHvvFAIACAWTGyTfikhayqzA7HCRp4lm75SqnZMPTvlUXVo5F7UcB1g3RIVecqcyZSstlPugtOBN/WC3/UvJX84cs5zaBKyf
CI Operators:
Drupal's maintainers announced a moderately critical vulnerability [1] in a third-party dependency used by Drupal Core. A vulnerability concerning insufficient deserialization when accessing Phar files (PHP archives) was addressed in [2]. However, that solution is vulnerable to a path traversal exploit in the Phar Stream Wrapper Interceptor.
Impact:
Depending on the interceptor strategy used, a malicious actor could execute arbitrary code.
Affected Software:
Drupal 8.7.x < 8.7.1
Drupal 8.6.x < 8.6.16
Drupal 7.x < 7.67
Recommendation:
Upgrade to the latest version of Drupal 8.
Drupal 8.6. : https://www.drupal.org/project/drupal/releases/8.7.1
Drupal 8.5. : https://www.drupal.org/project/drupal/releases/8.6.16
Drupal 7: https://www.drupal.org/project/drupal/releases/7.67
References:
[1] https://www.drupal.org/sa-core-2019-007
[2] https://typo3.org/security/advisory/typo3-core-sa-2018-002/
[3] https://typo3.org/security/advisory/typo3-psa-2019-007/
How Trusted CI can help:
The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI can not provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (http://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.- [cv-announce-l] Drupal Vulnerability (SA-CORE-2019-007), Andrew K Adams, 05/10/2019
Archive powered by MHonArc 2.6.24.