Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001
  • Date: Wed, 17 Jan 2024 17:55:46 +0000 (UTC)
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 5A5E0421F0
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org CF9DF421EE
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org EC375436DE
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 720C0419CF
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-core-2024-001

Project: Drupal core [1]
Date: 2024-January-17
Security risk: *Moderately critical* 11∕25
AC:None/A:None/CI:None/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Denial of Service

Affected versions: >=8.0 <10.1.8 || >=10.2 <10.2.2
Description: 
The Comment module allows users to reply to comments. In certain cases, an
attacker could make comment reply requests that would trigger a denial of
service (DOS).

Sites that do not use the Comment module are not affected.

Solution: 
Install the latest version:

* If you are using Drupal 10.2, update to Drupal 10.2.2 [3].
* If you are using Drupal 10.1, update to Drupal 10.1.8 [4].

All versions of Drupal 10 prior to 10.1 are end-of-life and do not receive
security coverage. (Drupal 8 [5] and Drupal 9 [6] have both reached
end-of-life.)

Drupal 7 is not affected.

Reported By: 
* Alexander Antonenko [7]
* Doug Green [8]

Fixed By: 
* Lee Rowlands [9] of the Drupal Security Team
* Benji Fisher [10] of the Drupal Security Team
* Juraj Nemec [11] of the Drupal Security Team
* xjm [12] of the Drupal Security Team
* Lauri Eskola [13], provisional member of the Drupal Security Team


[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/10.2.2
[4] https://www.drupal.org/project/drupal/releases/10.1.8
[5] https://www.drupal.org/psa-2021-06-29
[6] https://www.drupal.org/psa-2023-11-01
[7] https://www.drupal.org/user/225734
[8] https://www.drupal.org/user/29191
[9] https://www.drupal.org/user/395439
[10] https://www.drupal.org/user/683300
[11] https://www.drupal.org/user/272316
[12] https://www.drupal.org/user/65776
[13] https://www.drupal.org/user/1078742

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001, security-news, 17.01.2024

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang