Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.4116 drupal7 security update 20 November 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: drupal7 Publisher: Debian Operating System: Debian GNU/Linux Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-13671 CVE-2020-13666 Reference: ESB-2020.4096 ESB-2020.3175 Original Bulletin: https://www.debian.org/lts/security/2020/dla-2458 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2458-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Emilio Pozuelo Monfort November 19, 2020 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : drupal7 Version : 7.52-2+deb9u12 CVE ID : CVE-2020-13666 CVE-2020-13671 Two vulnerabilities were discovered in Drupal, a fully-featured content management framework. CVE-2020-13666 The Drupal AJAX API did not disable JSONP by default, which could lead to cross-site scripting. For setups that relied on Drupal's AJAX API for JSONP requests, either JSONP will need to be reenabled, or the jQuery AJAX API will have to be used instead. See the upstream advisory for more details: https://www.drupal.org/sa-core-2020-007 CVE-2020-13671 Drupal failed to sanitize filenames on uploaded files, which could lead to those files being served as the wrong MIME type, or being executed depending on the server configuration. It is also recommended to check previously uploaded files for malicious extensions. For more details see the upstream advisory: https://www.drupal.org/sa-core-2020-012 For Debian 9 stretch, these problems have been fixed in version 7.52-2+deb9u12. We recommend that you upgrade your drupal7 packages. For the detailed security status of drupal7 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/drupal7 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAl+2W0MACgkQnUbEiOQ2 gwLmVhAAroo0l1+hEh1VZ2QNj7kEoffcXZ35nvSXtsfFDDJcVarojRrBAHbK2BYa sDljwaWMlo2chKoEsPNoXPCH17TEgyTHguU2YrX559Z1bDF4/Wj1rXEBUzwRl/Mc uh5fXkOzASfDxnS8p1e2Qh/ksnIf1Z1CC7DvzdOfBOmqQs5s+3zgd9uYiikHX8NR Ucbh3Ji2doCrYh3ZfH0eTujg7KLySjp4hdb8ocgQLMULV8f/ybdm7CA8eB1SWSj0 cbr7qjDye3Ig3xFvdBmUvRXrBGKakuN8c4rpV+tIKrQiOyARubsH0IMfOP6aJVLl Zn9cdNrGN6DJd2LVXfmJNcyci62kIL99q+TeQntNwYfRASyWHLyPylYmJhrcnK++ EJhonrHd9SorQkbvlpDn/C0E/zILoA9fENygTb990mSnPSqnsjlWpbkofpGESIZJ JGmXJfV6vTuZ5ms+rcnp2w8+S8gvZQhDxZb01U+N8U+3EOYGkRi0K2P9hb4SboXg pUSGYa6twbQDm5XzReVEipAuqGSyH22agCckGAiZmluz3iikgQF+GYfa/n/XQirB zq5GGYyiZOvkcVg5pQWGgzcj7KZxDvnvyAY2N+SaN2ohqWYMKgN+Z8pyc3TSHd7G 3NqWZ6BmNJo6A24xn72fmdJJcvHlbw698KgcHgTTBeQjs5ImIJc= =r4OE - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX7bxieNLKJtyKPYoAQjulQ//cGSeeTEI+U2NDBBPlVGJCzuNY1JyZDER LpJVKiFapuLeJZmbIuv3d2duttAGwAUtmlVd4+MEfkhNItcMWOqFY2+ZAevLx99O whWvIx/2HJT3Qt+eSALMAPeM+3Cx0RVmPx1ROsnCcVVEPC+DpHnygyBi1MjKb52j 8J96k/8PoBm8HuUTFlQdt5/axuh4OWD2fXFEib1lO1LRCIHn8V6OPgRBHVzoCZ2z zq8psCTNg/iuwbxD8yoqhLPDsbrTwlz93ubm6nGN2yZ1I6hHR3trGwI2JqjtCKun BezB8IvChxcBnZhLRq+g6OlBGP8HWNrQpG02SbefRB+T3BFo0ZPQrwszr+aNg2HJ FKACyXCGH5SPgmUHasYZu3nHWgibJToOhAIlCVdgoHXIBJYhx7uvzlqWerVmvErP jNcFxKCOm6RFbNIE7bhpIaj9G+BIHKVcHeA+lw9WO6tdOqo1yBG4OqhkkGl4xuOG yNWY7ZrrqA2NIzVa1zZsxMB2Uh/KlpOrDvqPz3U2Xy1xjr5NMH0YpXjzeQT1+nUN Rj8WnKeb09NZm7dCphl3LkXztas9rrbSnQS3qL4G41FadU1mvQMhxNZ+4Z+mhTVA P3Ktv/Rp2+H+HiTIDQywZlP131nXUEWnb/Lb6vPEHGmxEjVRFbK+P/Zj/pz093p/ MNsD835hyP4= =1yUW -----END PGP SIGNATURE-----