Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-006

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-006


Chronologisch Thread 
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-006
  • Date: Wed, 17 Apr 2019 20:50:46 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>

View online: https://www.drupal.org/sa-core-2019-006

Project: Drupal core [1]
Date: 2019-April-17
Security risk: *Moderately critical* 10∕25
AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Cross Site Scripting

Description: 
The jQuery project released version 3.4.0, and as part of that, disclosed a
security vulnerability that affects all prior versions. As described in their
release notes [3]:

>jQuery 3.4.0 includes a fix for some unintended behavior when using
>jQuery.extend(true, {}, ...). If an unsanitized source object contained an
>enumerable __proto__ property, it could extend the native Object.prototype.
>This fix is included in jQuery 3.4.0, but patch diffs exist to patch
>previous jQuery versions.
>
It's possible that this vulnerability is exploitable with some Drupal
modules. As a precaution, this Drupal security release backports the fix to
jQuery.extend(), without making any other changes to the jQuery version that
is included in Drupal core (3.2.1 for Drupal 8 and 1.4.4 for Drupal 7) or
running on the site via some other module such as jQuery Update [4].

Solution: 
Install the latest version:

* If you are using Drupal 8.6, update to Drupal 8.6.15 [5].
* If you are using Drupal 8.5 or earlier, update to Drupal 8.5.15 [6].
* If you are using Drupal 7, update to Drupal 7.66 [7].

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive
security coverage.

Also see the Drupal core [8] project page.

.... Additional information

All advisories released today:

* SA-CORE-2019-005 [9]
* SA-CORE-2019-006 [10]

Updating to the latest Drupal core release will apply the fixes for all the
above advisories.

Reported By: 
* dtv_rb [11]
* Jess [12] of the Drupal Security Team

Fixed By: 
* Alex Bronstein [13] of the Drupal Security Team
* Lee Rowlands [14] of the Drupal Security Team
* Jess [15] of the Drupal Security Team
* Lauri Eskola [16]
* Greg Knaddison [17] of the Drupal Security Team
* Neil Drumm [18] of the Drupal Security Team
* Samuel Mortenson [19] of the Drupal Security Team


[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
[4] https://www.drupal.org/project/jquery_update
[5] https://www.drupal.org/project/drupal/releases/8.6.15
[6] https://www.drupal.org/project/drupal/releases/8.5.15
[7] https://www.drupal.org/project/drupal/releases/7.66
[8] https://www.drupal.org/project/drupal
[9] https://www.drupal.org/sa-core-2019-005
[10] https://www.drupal.org/sa-core-2019-006
[11] https://www.drupal.org/user/3528196
[12] https://www.drupal.org/user/65776
[13] https://www.drupal.org/user/78040
[14] https://www.drupal.org/user/395439
[15] https://www.drupal.org/user/65776
[16] https://www.drupal.org/user/1078742
[17] https://www.drupal.org/user/36762
[18] https://www.drupal.org/user/3064
[19] https://www.drupal.org/user/2582268

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news


  • [IT-SecNots] [Security-news] Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-006, security-news, 17.04.2019

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang