Aktualizacje bezpieczeństwa

DSA-4340 chromium-browser

Debian Security - ndz., 18/11/2018 - 00:00
security update

DSA-4339 ceph

Debian Security - wt., 13/11/2018 - 00:00
security update

DSA-4338 qemu

Debian Security - ndz., 11/11/2018 - 00:00
security update

DSA-4337 thunderbird

Debian Security - sob., 10/11/2018 - 00:00
security update

DSA-4336 ghostscript

Debian Security - sob., 10/11/2018 - 00:00
security update

DSA-4335 nginx

Debian Security - czw., 08/11/2018 - 00:00
security update

DSA-4334 mupdf

Debian Security - ndz., 04/11/2018 - 00:00
security update

DSA-4333 icecast2

Debian Security - ndz., 04/11/2018 - 00:00
security update

DSA-4332 ruby2.3

Debian Security - sob., 03/11/2018 - 00:00
security update

DSA-4331 curl

Debian Security - pt., 02/11/2018 - 00:00
security update

DSA-4330 chromium-browser

Debian Security - pt., 02/11/2018 - 00:00
security update

DSA-4329 teeworlds

Debian Security - ndz., 28/10/2018 - 00:00
security update

DSA-4328 xorg-server

Debian Security - czw., 25/10/2018 - 00:00
security update

DSA-4327 thunderbird

Debian Security - czw., 25/10/2018 - 00:00
security update

DSA-4326 openjdk-8

Debian Security - czw., 25/10/2018 - 00:00
security update

DSA-4325 mosquitto

Debian Security - czw., 25/10/2018 - 00:00
security update

DSA-4324 firefox-esr

Debian Security - śr., 24/10/2018 - 00:00
security update

DSA-4323 drupal7

Debian Security - czw., 18/10/2018 - 00:00
security update

Drupal Core - Multiple Vulnerabilities - SA-CORE-2018-006

Drupal - Security advisories - śr., 17/10/2018 - 18:42
  • Advisory ID: DRUPAL-SA-CONTRIB-2018-006
  • Project: Drupal core
  • Version: 7.x, 8.x
  • Date: 2018-October-17
Description

Content moderation - Moderately critical - Access bypass - Drupal 8

In some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass.

In order to fix this issue, the following changes have been made to content moderation which may have implications for backwards compatibility:

ModerationStateConstraintValidator
Two additional services have been injected into this service. Anyone subclassing this service must ensure these additional dependencies are passed to the constructor, if the constructor has been overridden.
StateTransitionValidationInterface
An additional method has been added to this interface. Implementations of this interface which do not extend the StateTransitionValidation should implement this method.

Implementations which do extend from the StateTransitionValidation should ensure any behavioural changes they have made are also reflected in this new method.

User permissions
Previously users who didn't have access to use any content moderation transitions were granted implicit access to update content provided the state of the content did not change. Now access to an associated transition will be validated for all users in scenarios where the state of content does not change between revisions.

Reported by

Fixed by

External URL injection through URL aliases - Moderately Critical - Open Redirect - Drupal 7 and Drupal 8

The path module allows users with the 'administer paths' to create pretty URLs for content.

In certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url.

The issue is mitigated by the fact that the user needs the administer paths permission to exploit.

Reported by

Fixed by

Anonymous Open Redirect - Moderately Critical - Open Redirect - Drupal 8

Drupal core and contributed modules frequently use a "destination" query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.

This vulnerability has been publicly documented.

RedirectResponseSubscriber event handler removal

As part of the fix, \Drupal\Core\EventSubscriber\RedirectResponseSubscriber::sanitizeDestination has been removed, although this is a public function, it is not considered an API as per our API policy for event subscribers.
If you have extended that class or are calling that method, you should review your implementation in line with the changes in the patch. The existing function has been removed to prevent a false sense of security.

Reported by

Fixed by

Injection in DefaultMailSystem::mail() - Critical - Remote Code Execution - Drupal 7 and Drupal 8

When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution.

Reported by

Fixed by

Contextual Links validation - Critical - Remote Code Execution - Drupal 8

The Contextual Links module doesn't sufficiently validate the requested contextual links.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access contextual links".

Reported by

Fixed by

Solution

Upgrade to the most recent version of Drupal 7 or 8 core.

Minor versions of Drupal 8 prior to 8.5.x are not supported and do not receive security coverage, so sites running older versions should update to the above 8.5.x release immediately. 8.5.x will receive security coverage until May 2019.

DSA-4322 libssh

Debian Security - śr., 17/10/2018 - 00:00
security update