Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Examples for Developers - Critical - Remote Code Execution - SA-CONTRIB-2020-035

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Examples for Developers - Critical - Remote Code Execution - SA-CONTRIB-2020-035


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Examples for Developers - Critical - Remote Code Execution - SA-CONTRIB-2020-035
  • Date: Wed, 18 Nov 2020 17:55:47 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2020-035

Project: Examples for Developers [1]
Date: 2020-November-18
Security risk: *Critical* 17∕25
AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default [2]
Vulnerability: Remote Code Execution

Description: 
The File Example submodule within the Examples project does not properly
sanitize certain filenames as described in SA-CORE-2020-012 [3], along with
other related vulnerabilities.

Therefore, File Example so is being removed from Examples until a version
demonstrating file security best practices can added back in the future.

Solution: 
Any sites that have File Example submodule installed should uninstall it
immediately

Then, install the latest version of Examples:

* If you use Examples 3 (Drupal 9-compatible), upgrade to Examples 3.0.2 [4]
* If you use the Examples module's 8.x-1.x branch, upgrade to Examples
8.x-1.1 [5]

Reported By: 
* Alex Pott [6] of the Drupal Security Team

Fixed By: 
* Valery Lourie [7]
* Samuel Mortenson [8] of the Drupal Security Team
* Jess (xjm) [9] of the Drupal Security Team
* Alex Pott [10] of the Drupal Security Team

Coordinated By: 
* Michael Hess [11] of the Drupal Security Team
* Jess (xjm) [12] of the Drupal Security Team
* Drew Webber [13] of the Drupal Security Team
* Alex Pott [14] of the Drupal Security Team


[1] https://www.drupal.org/project/examples
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/sa-core-2020-012
[4] https://www.drupal.org/project/examples/releases/3.0.2
[5] https://www.drupal.org/project/examples/releases/8.x-1.1
[6] https://www.drupal.org/user/157725
[7] https://www.drupal.org/user/239562
[8] https://www.drupal.org/user/2582268
[9] https://www.drupal.org/user/65776
[10] https://www.drupal.org/user/157725
[11] https://www.drupal.org/user/102818
[12] https://www.drupal.org/user/xjm
[13] https://www.drupal.org/user/255969
[14] https://www.drupal.org/user/157725

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Examples for Developers - Critical - Remote Code Execution - SA-CONTRIB-2020-035, security-news, 18.11.2020

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang