CentOS Errata and Security Advisory 2015:0047 Important Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-0047.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) i386: e4a5ef8b030762b5d280948211fb7536e2374a3f9838f31b2832dfc18e52fb28 thunderbird-31.4.0-1.el5.centos.i386.rpm x86_64: d50ff4ff7baa048d1e90f34cb98a2282ee5ecdea6fa25f3eee96afb5f7046b69 thunderbird-31.4.0-1.el5.centos.x86_64.rpm Source: 985c582a527ef7643aacc1acb828bf720c7ed3b9584045c80681172cb7bfae78 thunderbird-31.4.0-1.el5.centos.src.rpm
Monthly Archives: January 2015
SA-CONTRIB-2015-022 – nodeauthor – Cross Site Scripting (XSS) – Unsupported
- Advisory ID: DRUPAL-SA-CONTRIB-2015-022
- Project: nodeauthor (third-party module)
- Version: 7.x
- Date: 2015-January-14
- Security risk: 12/25 ( Moderately Critical) AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Default
- Vulnerability: Cross Site Scripting
Description
This module displays node author information in a jQuery slider.
The module doesn’t sufficiently sanitize Profile2 fields in a provided block.
This vulnerability is mitigated by the fact that an attacker must have a user account allowed to edit profile fields.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
- All versions of nodeauthor module.
Drupal core is not affected. If you do not use the contributed nodeauthor module,
there is nothing you need to do.
Solution
If you use the nodeauthor module you should uninstall it.
Also see the nodeauthor project page.
Reported by
- Pere Orga provisional member of the Drupal Security Team
Fixed by
Not applicable.
Coordinated by
- Pere Orga provisional member of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Drupal version:
SA-CONTRIB-2015-021 – Content Analysis – Cross Site Scripting (XSS)
- Advisory ID: DRUPAL-SA-CONTRIB-2015-021
- Project: Content Analysis (third-party module)
- Version: 6.x
- Date: 2014-January-14
- Security risk: 16/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All
- Vulnerability: Cross Site Scripting
Description
The Content Analysis module is an API designed to help modules that need to analyze content.
The module fails to sanitize user input in log messages, leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that only sites with dblog module enabled are affected.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
- Content Analysis 6.x-1.x versions prior to 6.x-1.7.
Drupal core is not affected. If you do not use the contributed Content Analysis module,
there is nothing you need to do.
Solution
Install the latest version:
- If you use the Content Analysis module for Drupal 6.x, upgrade to Content Analysis 6.x-1.7
Also see the Content Analysis project page.
Reported by
- Pere Orga provisional member of the Drupal Security Team
Fixed by
- Tom McCracken the module maintainer
Coordinated by
- Pere Orga provisional member of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Drupal version:
CESA-2015:0046 Critical CentOS 7 xulrunnerSecurity Update
CentOS Errata and Security Advisory 2015:0046 Critical Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-0046.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) x86_64: fb2527c63a823d19d5c7fe48879049f1aa34abd128676072195037a8e702611e xulrunner-31.4.0-1.el7.centos.i686.rpm 3ad1168572ea24666eebac8c37d747d0eed87df021cf76ebc1f86dec9bcd6ee8 xulrunner-31.4.0-1.el7.centos.x86_64.rpm bac4624b98877530450e959acc6156fc0f1eebe579c366e18559a7fba84c7f1b xulrunner-devel-31.4.0-1.el7.centos.i686.rpm aad6e204ff3f6bb929b14cfc78e4d07205a73515e2bdf4ac971af307be4ab869 xulrunner-devel-31.4.0-1.el7.centos.x86_64.rpm Source: ede19fd8b6afdb8a452fb6a69d4a10813828e73bcb6dfcd8622db9b2738c9c19 xulrunner-31.4.0-1.el7.centos.src.rpm
CESA-2015:0046 Critical CentOS 7 firefox SecurityUpdate
CentOS Errata and Security Advisory 2015:0046 Critical Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-0046.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) x86_64: fb2393878ca1b157a9804c2d42d3237568c956511d49320fea0b3ebc1665624b firefox-31.4.0-1.el7.centos.i686.rpm 0c0baca91c5849111abcc90173cf51995e8967f395a02e769c2a01635ec4a88f firefox-31.4.0-1.el7.centos.x86_64.rpm Source: af767d1f2e23d4921201d56cddbebf906f7fe00cfda9d5f5113b4027ebc63320 firefox-31.4.0-1.el7.centos.src.rpm
CEBA-2015:0037 CentOS 7 systemd BugFix Update
CentOS Errata and Bugfix Advisory 2015:0037 Upstream details at : https://rhn.redhat.com/errata/RHBA-2015-0037.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) x86_64: 6555d15e263354edc5744bcf40ba15938f37c59f0d59988d19948e563132fd6c libgudev1-208-11.el7_0.6.i686.rpm 67c9e574ec5b49bbe55cbbb1a8a71b0e7dbeeb5f90228bc468396d02d2392de4 libgudev1-208-11.el7_0.6.x86_64.rpm 1bda3c0b2b4ea0652aac2c73cde95a66ef4e3cd81686e70c407c52b9173e9a26 libgudev1-devel-208-11.el7_0.6.i686.rpm a164c8fd7527814fc71a87a72904bc9ae3f472d5a5eeda02f1b96417f26c1790 libgudev1-devel-208-11.el7_0.6.x86_64.rpm 4f89630edf959129fc9f45a44a067ba77b9764124b27a9d72c6c552c17447c97 systemd-208-11.el7_0.6.x86_64.rpm 81d5cf3173a42ab19979133e7e1dbadbe6b77405a403677a9e366a863435cc59 systemd-devel-208-11.el7_0.6.i686.rpm 0751a214e99b7ab6199fb72e6de5ff72e5dfdcc739bb58f648f82896fd2beb57 systemd-devel-208-11.el7_0.6.x86_64.rpm 3462961d5e3833ee29aeec56006ad9f526643490dc03158cc64fc3c33b3b2398 systemd-journal-gateway-208-11.el7_0.6.x86_64.rpm b42a15055294b897fbef3479ab1e00c06f8008e41cd147059e73722efbef3668 systemd-libs-208-11.el7_0.6.i686.rpm 4f935227b03afdc91e1ab8dc4b490c275d0514827eaec6621125ff8230f8c7ce systemd-libs-208-11.el7_0.6.x86_64.rpm ab6054863aa45a97a73f618efab394b46d8836ce30def807929d553f44c2dcb1 systemd-python-208-11.el7_0.6.x86_64.rpm 09afee85d7ecce997e5da21b620d169de7f7fd18868ac0dba5b52cb61fd39a80 systemd-sysv-208-11.el7_0.6.x86_64.rpm Source: 2be72b5666b836d43bf06c0bb51c9c6e3f171149e2c0e74bd900ed489e214971 systemd-208-11.el7_0.6.src.rpm
SA-CONTRIB-2015-020 – Contact Form Fields – Cross Site Request Forgery (CSRF)
- Advisory ID: DRUPAL-SA-CONTRIB-2015-020
- Project: Contact form fields (third-party module)
- Version: 6.x
- Date: 2014-January-14
- Security risk: 13/25 ( Moderately Critical) AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All
- Vulnerability: Cross Site Request Forgery
Description
The Contact Form Fields module enables you to create additional fields to site-wide contact form.
Some links were not properly protected from CSRF. A malicious user could cause an administrator to delete fields by getting the administrator’s browser to make a request to a specially-crafted URL while the administrator was logged in.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
- All Contact Form Fields versions prior to 6.x-2.3.
Drupal core is not affected. If you do not use the contributed Contact form fields module,
there is nothing you need to do.
Solution
Install the latest version:
- If you use the Contact Form Fields module for Drupal 6.x, upgrade to Contact Form Fields 6.x-2.3
Also see the Contact form fields project page.
Reported by
- Pere Orga provisional member of the Drupal Security Team
Fixed by
- Timofey Denisov the module maintainer
Coordinated by
- Pere Orga provisional member of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Drupal version:
SA-CONTRIB-2015-019 – Ubercart Currency Conversion – Open Redirect
- Advisory ID: DRUPAL-SA-CONTRIB-2015-019
- Project: Ubercart Currency Conversion (third-party module)
- Version: 6.x
- Date: 2015-January-14
- Security risk: 10/25 ( Moderately Critical) AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:All
- Vulnerability: Open Redirect
Description
This module enables users to change the currency of Ubercart products.
When switching the currency, the user is redirected to a page specified in the destination query parameter. The module was not checking that the passed argument was an internal URL, thereby leading to an open redirect vulnerability.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
- Ubercart Currency Conversion 6.x-1.x versions prior to 6.x-1.2
Drupal core is not affected. If you do not use the contributed Ubercart Currency Conversion module, there is nothing you need to do.
Solution
- If you use the Ubercart Currency Conversion module for Drupal 6.x, upgrade to Ubercart Currency Conversion 6.x-1.2
Also see the Ubercart Currency Conversion project page.
Reported by
- Pere Orga provisional member of the Drupal Security Team
Fixed by
- Sudhir Krishna S the module maintainer
Coordinated by
- Pere Orga provisional member of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Drupal version:
SA-CONTRIB-2015-018 – Video – Cross Site Scripting (XSS)
- Advisory ID: DRUPAL-SA-CONTRIB-2015-018
- Project: Video (third-party module)
- Version: 7.x
- Date: 2015-January-14
- Security risk: 13/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
- Vulnerability: Cross Site Scripting
Description
This module enables you to upload, convert and playback videos.
The module doesn’t sufficiently sanitize node titles when using the video WYSIWYG plugin, thereby opening a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “create video nodes” and that WYSIWYG video plugin must be enabled.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
- Video 7.x-2.x versions from 7.x-2.2-beta1 to 7.x-2.10.
Drupal core is not affected. If you do not use the contributed Video module,
there is nothing you need to do.
Solution
Install the latest version:
- If you use the video module for Drupal 7.x-2.x, upgrade to Video 7.x-2.11
Also see the Video project page.
Reported by
- Pere Orga provisional member of the Drupal Security Team
Fixed by
- Heshan Wanigasooriya the module maintainer
Coordinated by
- Pere Orga provisional member of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Drupal version:
SA-CONTRIB-2015-017 – Room Reservations – Cross Site Scripting (XSS)
- Advisory ID: DRUPAL-SA-CONTRIB-2015-017
- Project: Room Reservations (third-party module)
- Version: 7.x
- Date: 2015-January-14
- Security risk: 13/25 ( Moderately Critical) AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All
- Vulnerability: Cross Site Scripting
Description
Room Reservations module enables you to manage a room reservation system.
The module doesn’t sufficiently sanitize the node title of “Room Reservations Category” nodes and the body of “Room Reservations Room” nodes, thereby leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a user with the permission “Administer the room reservations system”.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
- Room Reservations 7.x-1.x versions prior to 7.x-1.1.
Drupal core is not affected. If you do not use the contributed Room Reservations module,
there is nothing you need to do.
Solution
Install the latest version:
- If you use the Room Reservations module for Drupal 7.x, upgrade to Room Reservations 7.x-1.1
Also see the Room Reservations project page.
Reported by
- Pere Orga provisional member of the Drupal Security Team
Fixed by
- Peter Lindstrom the module maintainer
Coordinated by
- Pere Orga provisional member of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Drupal version: