Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] 3rd Party Libraries and Supply Chains - PSA-2024-06-26

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] 3rd Party Libraries and Supply Chains - PSA-2024-06-26


Chronologisch Thread  
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] 3rd Party Libraries and Supply Chains - PSA-2024-06-26
  • Date: Wed, 26 Jun 2024 15:42:08 +0000 (UTC)
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 4EDA4415B4
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org A465581F74
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>

View online: https://www.drupal.org/psa-2024-06-26

Date: 2024-June-26
Description: 
Following on from previous PSAs on 3rd Party code in the Drupal ecosystem:

* PSA-2011-002 - External libraries and plugins [1]
* Various 3rd Party Vulnerabilities - PSA-2019-09-04 | Drupal.org [2]

It is the policy of the Drupal Security Team that site owners are responsible
for monitoring and maintaining the security of 3rd party libraries.

Supply chains are increasingly complex, and managing the associated risks is
challenging. Website owners should actively manage their dependencies,
potentially leveraging a Software Bill of Materials (SBOM) or scanner
services. Other relevant tools include CSP [3] and SRI [4].

.... Concerns around polyfill.io

The most recent case that has affected some contributed Drupal projects
relates to the polyfill.io service.

Recently, a new organization acquired and updated the polyfill.io service.
The new service appears to be serving malicious content from the polyfill.io
endpoints under specific circumstances.

* https://thehackernews.com/2024/06/over-110000-websites-affected-by.html
[5]
* https://sansec.io/research/polyfill-supply-chain-attack [6]
* https://github.com/polyfillpolyfill/polyfill-service/issues/2873 [7]

In response to these concerns, several trusted providers of Javascript
libraries are now also serving replacements for the polyfill.io service.
Website owners should update their site to incorporate a newer, more reliable
source for the polyfill.io files.

* https://community.fastly.com/t/new-options-for-polyfill-io-users/2540 [8]
*
https://blog.cloudflare.com/polyfill-io-now-available-on-cdnjs-reduce-yo...
[9]

On the other hand, the polyfills may no longer be necessary in many cases,
and it may be possible to remove them from sites rather than rely on a new
source.

Multiple Drupal projects utilize this service in various ways; several of
which require code changes and new releases to switch to alternative
providers. As this relates to 3rd party libraries, the Drupal Security Team
will not be issuing Security Advisories for these projects and work has been
done in the public issue queues [10] (note this may not be a complete list of
all affected projects).

There have been significant changes in the way that 3rd party code is
utilized in the Drupal ecosystem since PSA-2011-002 linked to above, but the
remit of the Drupal Security Team remains limited to code hosted on
drupal.org’s systems.

Reported By: 
* Heikki Ylipaavalniemi [11]
* jpieper [12]
* drupalam [13]

Coordinated By: 
* Drew Webber [14] of the Drupal Security Team
* Greg Knaddison [15] of the Drupal Security Team
* Cathy Theys [16] of the Drupal Security Team
* Juraj Nemec [17] of the Drupal Security Team
* Michael Hess [18] of the Drupal Security Team


[1] https://www.drupal.org/node/1189632
[2] https://www.drupal.org/psa-2019-09-04
[3] https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
[4]
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
[5] https://thehackernews.com/2024/06/over-110000-websites-affected-by.html
[6] https://sansec.io/research/polyfill-supply-chain-attack
[7] https://github.com/polyfillpolyfill/polyfill-service/issues/2873
[8] https://community.fastly.com/t/new-options-for-polyfill-io-users/2540
[9]
https://blog.cloudflare.com/polyfill-io-now-available-on-cdnjs-reduce-your-supply-chain-risk
[10] https://www.drupal.org/project/issues/search?issue_tags=polyfill.io
[11] https://www.drupal.org/user/3442607
[12] https://www.drupal.org/user/782988
[13] https://www.drupal.org/user/1076400
[14] https://www.drupal.org/user/255969
[15] https://www.drupal.org/user/36762
[16] https://www.drupal.org/user/258568
[17] https://www.drupal.org/user/272316
[18] https://www.drupal.org/user/102818

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news


  • [IT-SecNots] [Security-news] 3rd Party Libraries and Supply Chains - PSA-2024-06-26, security-news, 26.06.2024

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang