it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Generate Password - Less critical - Insecure Randomness - SA-CONTRIB-2018-042
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Generate Password - Less critical - Insecure Randomness - SA-CONTRIB-2018-042
- Date: Wed, 27 Jun 2018 18:24:40 +0000 (UTC)
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2018-042
Project: Generate Password [1]
Version: 7.x-1.x-dev
Date: 2018-June-27
Security risk: *Less critical* 9∕25
AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Insecure Randomness
Description:
The Genpass module makes the password field optional (or hidden) on the add
new user page (admin & registration). If the password field is not set during
registration, the system generates a password.
The module doesn't use a strong source of randomness, creating weak and
predictable passwords.
This vulnerability is mitigated by the fact that the site must be configured
to reveal the password to the attacker which is a common configuration.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
Solution:
Install the latest version:
* If you use the Genpass module for Drupal 7.x-1.x, upgrade to Genpass
7.x-1.1 [4]
Also see the Generate Password [5] project page.
Reported By:
* Greg Knaddison [6] of the Drupal Security Team
Fixed By:
* Joel Stein [7] a module maintainer
Coordinated By:
* Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/genpass
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/genpass/releases/7.x-1.1
[5] https://www.drupal.org/project/genpass
[6] https://www.drupal.org/user/36762
[7] https://www.drupal.org/user/36598
[8] https://www.drupal.org/u/greggles
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Generate Password - Less critical - Insecure Randomness - SA-CONTRIB-2018-042, security-news, 27.06.2018
Archiv bereitgestellt durch MHonArc 2.6.19.