Biztonsági figyelmeztetések

CAS - Moderately Critical - Information Disclosure - DRUPAL-SA-CONTRIB-2016-005

Biztonsági figyelmeztetések (contrib) - 2016. február 10. 22.16
Description

This module enables you to use your Drupal site as a client or server for the single sign on protocol CAS. This vulnerability only affects sites that use the "CAS Server" sub module.

The module doesn't allow an administrator to restrict which CAS clients are allowed authenticate with the Drupal CAS server. A malicious CAS client can trick your users into exposing information about themselves, including: username, uid, email, account created date, account language, and roles.

This vulnerability is mitigated by the fact that a user must click a specially formed link from the malicious site and log into your Drupal CAS server with their credentials. If the user already has an active session with your Drupal CAS server, then that step is skipped.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • CAS 7.x-1.x versions prior to 7.x-1.5.

Drupal core is not affected. If you do not use the contributed CAS module, there is nothing you need to do.

Solution

Install the latest version:

  • If you are using the CAS Server sub-module, upgrade to CAS 7.x-1.5 and configure the "white list" of accepted CAS clients that are allowed to authenticate with your CAS server.
  • If you use the CAS module but NOT the server sub-module, then do nothing.

Also see the CAS project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Embedded Media Field - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2016-004

Biztonsági figyelmeztetések (contrib) - 2016. február 10. 22.14
Description

This module enables you to to display video, image, and audio files from various third party providers

The module doesn't sufficiently sanitize path arguments under certain scenarios.

This vulnerability is mitigated by the fact that an attacker must be able to trick an administrator into visiting a carefully crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Embedded Media Field 6.x-1.x all versions.
  • Embedded Media Field 6.x-2.x versions prior to 6.x-2.7.

Versions of Embedded Media Field for Drupal 7 are not affected.

Drupal core is not affected. If you do not use the contributed Embedded Media Field module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Embedded Media Field project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Open Atrium - Moderately Critical - Access Bypass - SA-CONTRIB-2016-003

Biztonsági figyelmeztetések (contrib) - 2016. január 27. 17.29
Description

Open Atrium allows you to control access via a hierarchy of public and private spaces and sub-spaces. If a public sub-space is created within a private parent-space, the content nodes of the public sub-space are accessible to users who are not members of the parent private space.

This issue only affects sites that use private sub-spaces.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Open Atrium 7.x-2.x versions prior to 7.x-2.53.

Drupal core is not affected. If you do not use the contributed Open Atrium module, there is nothing you need to do.

Solution
  • Upgrade to the latest version, 7.x-2.53

If you are not able to fully upgrade to the latest version, ensure private sub-spaces are directly marked as private and are not seen publicly in a private parent space.

Also see the Open Atrium project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Oldalak

Feliratkozás drupal.hu hírolvasó - Biztonsági figyelmeztetések csatornájára