-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2013-0007.1
Synopsis: VMware ESX third party update for Service Console package sudo
Issue date: 2013-05-30
Updated on: 2013-12-05
CVE number: CVE-2012-2337, CVE-2012-3440
- - -----------------------------------------------------------------------
1. Summary
VMware ESX third party update for Service Console package sudo
2. Relevant releases
VMware ESX 4.1 without patch ESX410-201312001
VMware ESX 4.0 without patch ESX400-201305001
3. Problem Description
a. Service Console update for sudo
The service console package sudo is updated to version
1.7.2p1-14.el5_8.3
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2012-2337 and CVE-2012-3440 to the issues
addressed in this update.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMwareProductRunningReplace with/
ProductVersiononApply Patch
============================================
ESXianyESXinot affected
ESX4.1ESXESX410-201312401-SG
ESX4.0ESXESX400-201305402-SG
4. Solution
Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.
ESXi and ESX
--------------------------
http://www.vmware.com/patchmgr/download.portal
ESX 4.1
-------
File: ESX410-201312001.zip
Build: 1368001
md5sum: c35763a84db169dd0285442d4129cc18
sha1sum: ee8e1b8d2d383422ff0dde04749c5d89e77d8e40
http://kb.vmware.com/kb/2061209
ESX410-201312001 contains ESX410-201312401-SG
ESX 4.0
-------
File: ESX400-201305001.zip
Build: 1070634
md5sum: c9ac91d3d803c7b7cb9df401c20b91c0
sha1sum: 7f5cef274c709248daa56d8c0e6fcc1ba86ae411
https://kb.vmware.com/kb/2044240
ESX400-201305001 contains ESX400-201305402-SG
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2337
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3440
- - -----------------------------------------------------------------------
6. Change log
2013-05-30 VMSA-2013-0007
Initial security advisory in conjunction with the release of ESX 4.0
patches on 2013-05-30.
2013-12-05 VMSA-2013-0007.1
Security advisory update in conjunction with the release of ESX 4.1
patches on 2013-12-05.
- - -----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2013 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iEYEARECAAYFAlKhUgMACgkQDEcm8Vbi9kOk1QCfSIni5b2S0/kH5GOrBijlsGIq
HgoAoJqxCyke7a/OO3aGzBXZaZLZeLa4
=8fBO
-----END PGP SIGNATURE-----
Category Archives: Security
Security
UPDATED VMSA-2013-0007.1 VMware ESX third partyupdate for Service Console package sudo
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2013-0007.1
Synopsis: VMware ESX third party update for Service Console package sudo
Issue date: 2013-05-30
Updated on: 2013-12-05
CVE number: CVE-2012-2337, CVE-2012-3440
- - -----------------------------------------------------------------------
1. Summary
VMware ESX third party update for Service Console package sudo
2. Relevant releases
VMware ESX 4.1 without patch ESX410-201312001
VMware ESX 4.0 without patch ESX400-201305001
3. Problem Description
a. Service Console update for sudo
The service console package sudo is updated to version
1.7.2p1-14.el5_8.3
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2012-2337 and CVE-2012-3440 to the issues
addressed in this update.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMwareProductRunningReplace with/
ProductVersiononApply Patch
============================================
ESXianyESXinot affected
ESX4.1ESXESX410-201312401-SG
ESX4.0ESXESX400-201305402-SG
4. Solution
Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.
ESXi and ESX
--------------------------
http://www.vmware.com/patchmgr/download.portal
ESX 4.1
-------
File: ESX410-201312001.zip
Build: 1368001
md5sum: c35763a84db169dd0285442d4129cc18
sha1sum: ee8e1b8d2d383422ff0dde04749c5d89e77d8e40
http://kb.vmware.com/kb/2061209
ESX410-201312001 contains ESX410-201312401-SG
ESX 4.0
-------
File: ESX400-201305001.zip
Build: 1070634
md5sum: c9ac91d3d803c7b7cb9df401c20b91c0
sha1sum: 7f5cef274c709248daa56d8c0e6fcc1ba86ae411
https://kb.vmware.com/kb/2044240
ESX400-201305001 contains ESX400-201305402-SG
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2337
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3440
- - -----------------------------------------------------------------------
6. Change log
2013-05-30 VMSA-2013-0007
Initial security advisory in conjunction with the release of ESX 4.0
patches on 2013-05-30.
2013-12-05 VMSA-2013-0007.1
Security advisory update in conjunction with the release of ESX 4.1
patches on 2013-12-05.
- - -----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2013 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iEYEARECAAYFAlKhUgMACgkQDEcm8Vbi9kOk1QCfSIni5b2S0/kH5GOrBijlsGIq
HgoAoJqxCyke7a/OO3aGzBXZaZLZeLa4
=8fBO
-----END PGP SIGNATURE-----
NEW VMSA-2013-0015 VMware ESX updates to thirdparty libraries
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
VMware Security Advisory
Advisory ID: VMSA-2013-0015
Synopsis: VMware ESX updates to third party libraries
Issue date: 2013-12-05
Updated on: 2013-12-05 (initial release)
CVE numbers: --- kernel (service console) ---
CVE-2012-2372, CVE-2012-3552, CVE-2013-2147, CVE-2013-2164,
CVE-2013-2206, CVE-2013-2224, CVE-2013-2234, CVE-2013-2237,
CVE-2013-2232
--- nss and nspr (service console) ---
CVE-2013-0791, CVE-2013-1620
- -------------------------------------------------------------------------
1. Summary
VMware has updated several third party libraries in ESX that address
multiple security vulnerabilities.
2. Relevant releases
VMware ESX 4.1 without patch ESX410-201312001
3. Problem Description
a. Update to ESX service console kernel
The ESX service console kernel is updated to resolve multiple
security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2012-2372, CVE-2012-3552, CVE-2013-2147,
CVE-2013-2164, CVE-2013-2206, CVE-2013-2224, CVE-2013-2234,
CVE-2013-2237, CVE-2013-2232 to these issues.
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======== ======= =================
ESXi any ESXi not applicable
ESX 4.1 ESX ESX410-201312401-SG
ESX 4.0 ESX patch pending
b. Update to ESX service console NSPR and NSS
This patch updates the ESX service console Netscape Portable
Runtime (NSPR) and Network Security Services (NSS) RPMs to resolve
multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2013-0791 and CVE-2013-1620 to these
issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======== ======= =================
ESXi any ESXi not applicable
ESX 4.1 ESX ESX410-201312403-SG
ESX 4.0 ESX patch pending
4. Solution
Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.
ESX 4.1
-------
File: ESX410-201312001.zip
md5sum: c35763a84db169dd0285442d4129cc18
sha1sum: ee8e1b8d2d383422ff0dde04749c5d89e77d8e40
http://kb.vmware.com/kb/2061209
ESX410-201312001 contains ESX410-201312401-SG and ESX410-201312403-SG.
5. References
--- kernel (service console) ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2372
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3552
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2147
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2164
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2206
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2224
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2234
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2237
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2232
--- NSPR and NSS (service console) ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0791
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1620
- -------------------------------------------------------------------------
6. Change log
2013-12-05 VMSA-2013-0015
Initial security advisory in conjunction with the release of ESX 4.1
patches on 2013-12-05.
- -------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2013 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iEYEARECAAYFAlKhUEEACgkQDEcm8Vbi9kMhDACfV3FNa6tlAK39I+nriVr462NJ
TtwAnRcl4PAICCPknirkUT804VlueHwZ
=cimI
-----END PGP SIGNATURE-----
NEW VMSA-2013-0015 VMware ESX updates to thirdparty libraries
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
VMware Security Advisory
Advisory ID: VMSA-2013-0015
Synopsis: VMware ESX updates to third party libraries
Issue date: 2013-12-05
Updated on: 2013-12-05 (initial release)
CVE numbers: --- kernel (service console) ---
CVE-2012-2372, CVE-2012-3552, CVE-2013-2147, CVE-2013-2164,
CVE-2013-2206, CVE-2013-2224, CVE-2013-2234, CVE-2013-2237,
CVE-2013-2232
--- nss and nspr (service console) ---
CVE-2013-0791, CVE-2013-1620
- -------------------------------------------------------------------------
1. Summary
VMware has updated several third party libraries in ESX that address
multiple security vulnerabilities.
2. Relevant releases
VMware ESX 4.1 without patch ESX410-201312001
3. Problem Description
a. Update to ESX service console kernel
The ESX service console kernel is updated to resolve multiple
security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2012-2372, CVE-2012-3552, CVE-2013-2147,
CVE-2013-2164, CVE-2013-2206, CVE-2013-2224, CVE-2013-2234,
CVE-2013-2237, CVE-2013-2232 to these issues.
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======== ======= =================
ESXi any ESXi not applicable
ESX 4.1 ESX ESX410-201312401-SG
ESX 4.0 ESX patch pending
b. Update to ESX service console NSPR and NSS
This patch updates the ESX service console Netscape Portable
Runtime (NSPR) and Network Security Services (NSS) RPMs to resolve
multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2013-0791 and CVE-2013-1620 to these
issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======== ======= =================
ESXi any ESXi not applicable
ESX 4.1 ESX ESX410-201312403-SG
ESX 4.0 ESX patch pending
4. Solution
Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.
ESX 4.1
-------
File: ESX410-201312001.zip
md5sum: c35763a84db169dd0285442d4129cc18
sha1sum: ee8e1b8d2d383422ff0dde04749c5d89e77d8e40
http://kb.vmware.com/kb/2061209
ESX410-201312001 contains ESX410-201312401-SG and ESX410-201312403-SG.
5. References
--- kernel (service console) ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2372
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3552
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2147
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2164
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2206
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2224
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2234
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2237
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2232
--- NSPR and NSS (service console) ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0791
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1620
- -------------------------------------------------------------------------
6. Change log
2013-12-05 VMSA-2013-0015
Initial security advisory in conjunction with the release of ESX 4.1
patches on 2013-12-05.
- -------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2013 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iEYEARECAAYFAlKhUEEACgkQDEcm8Vbi9kMhDACfV3FNa6tlAK39I+nriVr462NJ
TtwAnRcl4PAICCPknirkUT804VlueHwZ
=cimI
-----END PGP SIGNATURE-----
[BSA-089] Security update for nbd
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Wouter Verhelst uploaded new packages for nbd which fixed the following security problems: CVE-2013-6410 Incorrect parsing of the access control lists For the squeeze-backports distribution the problem has been fixed in version 1:3.2-4~deb7u4~bpo60+1 nbd is not present in any other backports repository. - -- This end should point toward the ground if you want to go to space. If it starts pointing toward space you are having a bad problem and you will not go to space today. -- http://xkcd.com/1133/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iQIcBAEBAgAGBQJSn1DVAAoJEMKUD5Ub3wqd2iYP/i2eHcfBjLuaba7YYCJHXOsr npcNAZhl4eNaarp7Q5FcFT7Z3VXkjRRC40I/TgAMHofY13z1UjYWS8DpWJjmLaVZ D4EbnxZk/6fgfeNOLnjakzMMFD8mbgXgN3a9l6TaRc0u7tM/GwmwdxXK18vw2tic NdrI52H5FfHUKwCYduQyKvwpOLMdoxCMPv7KqQQFwHRfzv3aR4fR+5wjagZdMdwN K6tfusR9Wgeq8U3Dm4TRQ+9Nmoc0ZgjHl8YkvV5+Rlw56c66ptpwYQOHyO258SKF 4LvpmFRpNU
[ANNOUNCEMENT] Apache HTTP Server (httpd) 2.4.7 Released
Apache HTTP Server 2.4.7 Released
The Apache Software Foundation and the Apache HTTP Server Project
are pleased to announce the release of version 2.4.7 of the Apache
HTTP Server ("Apache"). This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
principally a feature and bug fix release.
Also in this release are some exciting new features including:
*) Major updates to mod_proxy_fcgi
*) Higher performant event MPM
*) Enhancements to the WinNT MPM
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
NOTE: With this release, the Event MPM checks for acceptable use
of atomic operations. If the Event MPM no longer works on
your platform, be sure to contact [email protected].
Apache HTTP Server 2.4.7 is available for download from:
http://httpd.apache.org/download.cgi
Apache 2.4 offers numerous enhancements, improvements, and performance
boosts over the 2.2 codebase. For an overview of new features
introduced since 2.4 please see:
http://httpd.apache.org/docs/trunk/new_features_2_4.html
Please see the CHANGES_2.4 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.4.7 includes only
those changes introduced since the prior 2.4 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
http://httpd.apache.org/security/vulnerabilities_24.html
This release requires the Apache Portable Runtime (APR) version 1.5.x
and APR-Util version 1.5.x. The APR libraries must be upgraded for all
features of httpd to operate correctly.
This release builds on and extends the Apache 2.2 API. Modules written
for Apache 2.2 will need to be recompiled in order to run with Apache
2.4, and require minimal or no source code changes.
http://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING
When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.
CVE-2013-6375 (opensuse, xen)
Xen 4.2.x and 4.3.x, when using Intel VT-d for PCI passthrough, does not properly flush the TLB after clearing a present translation table entry, which allows local guest administrators to cause a denial of service or gain privileges via unspecified vectors related to an “inverted boolean parameter.”
CVE-2013-4589 (fedora, graphicsmagick, suse_linux_enterprise_debuginfo, suse_linux_enterprise_software_development_kit, suse_studio_onsite)
The ExportAlphaQuantumType function in export.c in GraphicsMagick before 1.3.18 might allow remote attackers to cause a denial of service (crash) via vectors related to exporting the alpha of an 8-bit RGBA image.
CVE-2013-4214
rss-newsfeed.php in Nagios Core 3.4.4, 3.5.1, and earlier, when MAGPIE_CACHE_ON is set to 1, allows local users to overwrite arbitrary files via a symlink attack on /tmp/magpie_cache. (CVSS:6.3) (Last Update:2014-03-05)
SA-CORE-2013-003 – Drupal core – Multiple vulnerabilities
- Advisory ID: DRUPAL-SA-CORE-2013-003
- Project: Drupal core
- Version: 6.x, 7.x
- Date: 2013-November-20
- Security risk: Highly critical
- Exploitable from: Remote
- Vulnerability: Multiple vulnerabilities
Description
Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.
Multiple vulnerabilities due to optimistic cross-site request forgery protection (Form API validation – Drupal 6 and 7)
Drupal’s form API has built-in cross-site request forgery (CSRF) validation, and also allows any module to perform its own validation on the form. In certain common cases, form validation functions may execute unsafe operations. Given that the CSRF protection is an especially important validation, the Drupal core form API has been changed in this release so that it now skips subsequent validation if the CSRF validation fails.
This vulnerability is mitigated by the fact that a form validation callback with potentially unsafe side effects must be active on the site, and none exist in core. However, issues were discovered in several popular contributed modules which allowed remote code execution that made it worthwhile to fix this issue in core. Other similar issues with varying impacts are likely to have existed in other contributed modules and custom modules and therefore will also be fixed by this Drupal core release.
Multiple vulnerabilities due to weakness in pseudorandom number generation using mt_rand() (Form API, OpenID and random password generation – Drupal 6 and 7)
Drupal core directly used the mt_rand() pseudorandom number generator for generating security related strings used in several core modules. It was found that brute force tools could determine the seeds making these strings predictable under certain circumstances.
This vulnerability has no mitigation; all Drupal sites are affected until the security update has been applied.
Code execution prevention (Files directory .htaccess for Apache – Drupal 6 and 7)
Drupal core attempts to add a “defense in depth” protection to prevent script execution by placing a .htaccess file into the files directories that stops execution of PHP scripts on the Apache web server. This protection is only necessary if there is a vulnerability on the site or on a server that allows users to upload malicious files. The configuration in the .htaccess file did not prevent code execution on certain Apache web server configurations. This release includes new configuration to prevent PHP execution on several additional common Apache configurations. If you are upgrading a site and the site is run by Apache you must fix the file manually, as described in the “Solution” section below.
This vulnerability is mitigated by the fact that it only relates to a defense in depth mechanism, and sites would only be vulnerable if they are hosted on a server which contains code that does not use protections similar to those found in Drupal’s file API to manage uploads in a safe manner.
Access bypass (Security token validation – Drupal 6 and 7)
The function drupal_valid_token() can return TRUE for invalid tokens if the caller does not make sure that the token is a string.
This vulnerability is mitigated by the fact that a contributed or custom module must invoke drupal_validate_token() with an argument that can be manipulated to not be a string by an attacker. There is currently no known core or contributed module that would suffer from this vulnerability.
Cross-site scripting (Image module – Drupal 7)
Image field descriptions are not properly sanitized before they are printed to HTML, thereby exposing a cross-site scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a permission to administer field descriptions, for example the “administer taxonomy” permission to edit fields on taxonomy terms.
Cross-site scripting (Color module – Drupal 7)
A cross-site scripting vulnerability was found in the Color module. A malicious attacker could trick an authenticated administrative user into visiting a page containing specific JavaScript that could lead to a reflected cross-site scripting attack via JavaScript execution in CSS.
This vulnerability is mitigated by the fact that it can only take place in older browsers, and in a restricted set of modern browsers, namely Opera through user interaction, and Internet Explorer under certain conditions.
Open redirect (Overlay module – Drupal 7)
The Overlay module displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module did not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability.
This vulnerability is mitigated by the fact that it can only be used against site users who have the “Access the administrative overlay” permission.
CVE identifier(s) issued
- Multiple vulnerabilities due to optimistic cross-site request forgery protection (Form API validation): CVE-2013-6385
- Multiple vulnerabilities due to weakness in pseudorandom number generation using mt_rand() (Form API, OpenID and random password generation – Drupal 6 and 7): CVE-2013-6386
- Code execution prevention (Files directory .htaccess for Apache – Drupal 6 and 7): No CVE; considered remediated through “security hardening”
- Access bypass (Security token validation – Drupal 6 and 7): No CVE; considered remediated through “security hardening.”
- Cross-site scripting (Image module – Drupal 7): CVE-2013-6387
- Cross-site scripting (Color module – Drupal 7): CVE-2013-6388
- Open redirect (Overlay module – Drupal 7): CVE-2013-6389
Versions affected
- Drupal core 6.x versions prior to 6.29.
- Drupal core 7.x versions prior to 7.24.
Solution
Install the latest version:
- If you use Drupal 6.x, upgrade to Drupal core 6.29.
- If you use Drupal 7.x, upgrade to Drupal core 7.24.
Also see the Drupal core project page.
Warning: Fixing the code execution prevention may require server configuration; please read:
To fix the code execution prevention vulnerability on existing Apache installations also requires changes to your site’s .htaccess files in the files directories. Until you do this, your site’s status report page at admin/reports/status will display error messages about the problem. Please note that if you are using a different web server such as Nginx the .htaccess files have no effect and you need to configure PHP execution protection yourself in the respective server configuration files.
To fix this issue, you must edit or replace the old .htaccess files manually. Copies of the .htaccess files are found in the site’s files directory and temporary files directory, and (for Drupal 7 only) the separate private files directory if your site is configured to use one. To find the location of these directories, consult the error messages at admin/reports/status, or visit the file system configuration page at admin/settings/file-system (Drupal 6) or admin/config/media/file-system (Drupal 7). Note that you should only make changes to the .htaccess files that are found in the directories specified on that page. Do not change the top-level .htaccess file (at the root of your Drupal installation).
Go onto your server, navigate to each directory, and replace or create the .htaccess file in this directory with the contents described below. Alternatively, you can remove the .htaccess file from each directory using SFTP or SSH and then visit the file system configuration page (admin/settings/file-system in Drupal 6 or admin/config/media/file-system in Drupal 7) and click the save button to have Drupal create the file automatically.
The recommended .htaccess file contents are as follows.
For Drupal 6:
# Turn off all options we don't need.
Options None
Options +FollowSymLinks
# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
 # Override the handler again if we're run later in the evaluation list.
 SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>
# If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php5.c>
 php_flag engine off
</IfModule>
# PHP 4, Apache 1.
<IfModule mod_php4.c>
 php_flag engine off
</IfModule>
# PHP 4, Apache 2.
<IfModule sapi_apache2.c>
 php_flag engine off
</IfModule>
For Drupal 7:
# Turn off all options we don't need.
Options None
Options +FollowSymLinks
# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
 # Override the handler again if we're run later in the evaluation list.
 SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>
# If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php5.c>
 php_flag engine off
</IfModule>
Additionally, the .htaccess of the temporary files directory and private files directory (if used) should include this command:
Deny from allReported by
- The form validation cross-site request forgery issue was reported by Heine Deelstra of the Drupal Security Team.
- The non-random seed vulnerability was reported by David Stoline of the Drupal Security Team.
- The code execution prevention vulnerability was reported by Lee Rowlands of the Drupal Security Team, Miguel Jacq, artfulrobot, and Dave Fletcher.
- The token access bypass issue was reported by Heine Deelstra of the Drupal Security Team.
- The Image module cross-site scripting issue was reported by Francisco José Cruz Romanos.
- The Color module cross-site scripting issue was reported by Mauro Gentile.
- The open redirect in the Overlay module was reported by Stephane Corlosquet of the Drupal Security Team, and by Sebastian Nerz.
Fixed by
- The form validation cross-site request forgery issue was fixed by Lee Rowlands and Klaus Purer, both of the Drupal Security Team.
- The non-random seed vulnerability was fixed by Owen Barton, David Stoline, Heine Deelstra, Damien Tournoud, and Peter Wolanin, all of the Drupal Security Team.
- The code execution prevention vulnerability was fixed by David Rothstein of the Drupal Security Team, Morbus Iff of the Drupal Security Team, Dan Reif, Antoine Beaupré, Miguel Jacq, Christopher Gervais, and Herman van Rink.
- The token access bypass issue was fixed by Heine Deelstra, Klaus Purer, and David Rothstein, all of the Drupal Security Team.
- The Image module cross-site scripting issue was fixed by Francisco José Cruz Romanos, and Peter Wolanin of the Drupal Security Team.
- The Color module cross-site scripting issue was fixed by David Rothstein of the Drupal Security Team.
- The open redirect in the Overlay module was fixed by Heine Deelstra of the Drupal Security Team.
Coordinated by
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Drupal version: