Monthly Archives: January 2017

Drupal

Microblog – Critical – Unsupported – SA-CONTRIB-2017-007

Description

This module enables microblogging on Drupal sites using it.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • All versions

Drupal core is not affected. If you do not use the contributed microblog module, there is nothing you need to do.

Solution

If you use the microblog module for Drupal 7.x you should uninstall it.

Also see the microblog project page.

Reported by

Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal

OAuth – Less Critical – Access Bypass – SA-CONTRIB-2017-006

Description

This module enables you to use the OAuth 1.a protocol to authenticate requests.

The module does not does not implement the OAuth 1.0a security fix reported at https://oauth.net/advisories/2009-1/.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • OAuth 7.x-3.x versions prior to 7.x-3.3.

Drupal core is not affected. If you do not use the contributed OAuth module, there is nothing you need to do.

Solution

Install the latest version.

  • If you use the OAuth module for Drupal 7.x, upgrade to OAuth 7.x-3.3

Also see the OAuth project page.

Reported by

Fixed by

Coordinated by

Changelog

  • 2017-01-25: Released the advisory as unsupported module.
  • 2017-01-25: Updated the advisory as the module is supported again and a security release was made.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 
Drupal 7.x
Hackers News

New Trojan Turns Thousands Of Linux Devices Into Proxy Servers

“Linux doesn’t get viruses” — It’s a Myth.

A new Trojan has been discovered in the wild that turns Linux-based devices into proxy servers, which attackers use to protect their identity while launching cyber attacks from the hijacked systems.

Dubbed Linux.Proxy.10, the Trojan was first spotted at the end of last year by the researchers from Russian security firm Doctor Web, who later

Fedora

ghostscript-9.20-6.fc24

This is a security update for these CVEs:

* [CVE-2016-9601](https://bugzilla.redhat.com/show_bug.cgi?id=1410021) – *Heap-buffer overflow in jbig2_image_new function*

This update also solves possible licensing issues with ghostscritpt’s source code.