The SpliceImage function in MagickCore/transform.c in ImageMagick before 6.9.2-4 allows remote attackers to cause a denial of service (application crash) via a crafted png file.
Monthly Archives: March 2017
CVE-2015-8896
Integer truncation issue in coders/pict.c in ImageMagick before 7.0.5-0 allows remote attackers to cause a denial of service (application crash) via a crafted .pict file.
CVE-2015-8982
Integer overflow in the strxfrm function in the GNU C Library (aka glibc or libc6) before 2.21 allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a stack-based buffer overflow.
CVE-2015-8895
Integer overflow in coders/icon.c in ImageMagick 6.9.1-3 and later allows remote attackers to cause a denial of service (application crash) via a crafted length value, which triggers a buffer overflow.
Drupal Core – Multiple Vulnerabilities – SA-CORE-2017-001
Drupal 8.2.7, a maintenance release which contains fixes for security vulnerabilities, is now available for download.
Upgrading your existing Drupal 8 sites is strongly recommended. There are no new features nor non-security-related bug fixes in this release. See the 8.2.7 release notes for details on important changes and known issues affecting this release. Read on for details of the security vulnerabilities that were fixed in this release.
- Advisory ID: DRUPAL-SA-CORE-2017-001
- Project: Drupal core
- Version: 8.x
- Date: 2017-March-15
Description
Editor module incorrectly checks access to inline private files – Drupal 8 – Access Bypass – Critical – CVE-2017-6377
When adding a private file via a configured text editor (like CKEditor), the editor will not correctly check access for the file being attached, resulting in an access bypass.
Some admin paths were not protected with a CSRF token – Drupal 8 – Cross Site Request Forgery – Moderately Critical – CVE-2017-6379
Some administrative paths did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.
Remote code execution – Drupal 8 – Remote code execution – Moderately Critical – CVE-2017-6381
A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution.
This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren’t normal installed.
You might be vulnerable to this if you are running a version of Drupal before 8.2.2. To be sure you aren’t vulnerable, you can remove the /vendor/phpunit directory from the site root of your production deployments.
Solution
Upgrade to Drupal 8.2.7
Reported by
Editor module incorrectly checks access to inline private files – Drupal 8 – Access Bypass – Critical – CVE-2017-6377
Some admin paths were not protected with a CSRF token – Drupal 8 – Cross Site Request Forgery – Moderately Critical – CVE-2017-6379
Remote code execution – Drupal 8 – Remote code execution – Moderately Critical – CVE-2017-6381
Fixed by
Editor module incorrectly checks access to inline private files – Drupal 8 – Access Bypass – Critical – CVE-2017-6377
- László Csécsy
- Wim Leers
- Alex Pott of the Drupal Security Team
- Klaus Purer of the Drupal Security Team
Some admin paths were not protected with a CSRF token – Drupal 8 – Cross Site Request Forgery – Moderately Critical – CVE-2017-6379
Remote code execution – Drupal 8 – Remote code execution -Moderately Critical – CVE-2017-6381
- Klaus Purer Of the Drupal Security Team
- Mixologic
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
US Charges Two Russian Spies & Two Hackers For Hacking 500 Million Yahoo Accounts
The 2014 Yahoo hack disclosed late last year that compromised over 500 million Yahoo user accounts was believed to be carried out by a state-sponsored hacking group.
Now, two Russian intelligence officers and two criminal hackers have been charged by the US government in connection with the 2014 Yahoo hack that compromised about 500 million Yahoo user accounts, the Department of Justice
WhatsApp, Telegram Vulnerabilities Exposed Users to Account Takeover
WhatsApp and Telegram patched vulnerabilities in the last week that could have let an attacker take over a user’s account.
Private – Critical – Access bypass – DRUPAL-SA-CONTRIB-2017-031
- Advisory ID: DRUPAL-SA-CONTRIB-2017-031
- Project: Private (third-party module)
- Version: 7.x
- Date: 2017-March-15
- Security risk: 15/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
- Vulnerability: Access bypass
Description
This module enables you to mark nodes as private so that they are only accessible to users that have been granted an extra permissions.
The module doesn’t always enforce the access restrictions. In some cases a node that a site admin expects to be private is actually accessible as normal or nodes may be editable in ways a site admin may not expect.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- Private 7.x-1.x versions
Drupal core is not affected. If you do not use the contributed Private module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Private module 7.x-1.x your site may be at risk. The only completely safe option is to take the website off-line. In most cases, disabling the module will not mitigate the vulnerabilities as that will expose even more private information.
- A new maintainer has developed a beta secure version of the module using the 7.x-2.x branch. This is a partial rewrite and needs further testing. Please test it and provide bug reports and help developing patches.
Also see the Private project page.
Reported by
Fixed by
- Adam Shepherd The module maintainer
Coordinated by
- Greg Knaddison of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
CVE-2017-6918
CSRF exists in BigTree CMS 4.2.16 with the value[#][*] parameter to the admin/settings/update/ page. The Navigation Social can be changed.
CVE-2017-6917
CSRF exists in BigTree CMS 4.2.16 with the value parameter to the admin/settings/update/ page. The Colophon can be changed.