[Esip-drupal] [drupal] [Security-news] Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2014-006
Adam Shepherd via Esip-drupal
esip-drupal at lists.esipfed.org
Wed Nov 19 15:58:33 EST 2014
Hey fellow ESIP Drupalers,
In case you haven't heard yet, there's a security update for Drupal 6 & 7 core. Go get you a hearty helping of version x.34
--Adam
---------------------------------------------------------------------------------------------------------------
ESIP Drupal Working Group
Co-Chair: David Bassendine david at bluedotlab.org
Co-Chair: Adam Shepherd ashepherd at whoi.edu
The Working Group gathers for monthly Telecons on
the 4th Wednesday of every month at 2pm CT
Drupal.org Group: https://groups.drupal.org/science-on-drupal
Twitter: https://twitter.com/ScienceOnDrupal
YouTube: goo.gl/B0t57T
Google+: http://goo.gl/w4KBJY
Mailing List: esip-drupal at lists.esipfed.org
http://www.lists.esipfed.org/mailman/listinfo/esip-drupal
---------------------------------------------------------------------------------------------------------------
Begin forwarded message:
> From: security-news at drupal.org
> Subject: [drupal] [Security-news] Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2014-006
> Date: November 19, 2014 3:47:24 PM EST
> To: security-news at drupal.org
> Reply-To: noreply at drupal.org
>
> View online: https://www.drupal.org/SA-CORE-2014-006
>
> * Advisory ID: DRUPAL-SA-CORE-2014-006
> * Project: Drupal core [1]
> * Version: 6.x, 7.x
> * Date: 2014-November-19
> * Security risk: 14/25 ( Moderately Critical)
> AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
> * Vulnerability: Multiple vulnerabilities
>
> -------- DESCRIPTION
> ---------------------------------------------------------
>
> .... Session hijacking (Drupal 6 and 7)
>
> A specially crafted request can give a user access to another user's session,
> allowing an attacker to hijack a random session.
>
> This attack is known to be possible on certain Drupal 7 sites which serve
> both HTTP and HTTPS content ("mixed-mode" [3]), but it is possible there are
> other attack vectors for both Drupal 6 and Drupal 7.
>
> .... Denial of service (Drupal 7 only)
>
> Drupal 7 includes a password hashing API to ensure that user supplied
> passwords are not stored in plain text.
>
> A vulnerability in this API allows an attacker to send specially crafted
> requests resulting in CPU and memory exhaustion. This may lead to the site
> becoming unavailable or unresponsive (denial of service).
>
> This vulnerability can be exploited by anonymous users.
>
>
> -------- CVE IDENTIFIER(S) ISSUED
> --------------------------------------------
>
> * /A CVE identifier [4] will be requested, and added upon issuance, in
> accordance
> with Drupal Security Team processes./
>
> -------- VERSIONS AFFECTED
> ---------------------------------------------------
>
> * Drupal core 6.x versions prior to 6.34.
> * Drupal core 7.x versions prior to 7.34.
>
> -------- SOLUTION
> ------------------------------------------------------------
>
> Install the latest version:
>
> * If you use Drupal 6.x, upgrade to Drupal core 6.34. [5]
> * If you use Drupal 7.x, upgrade to Drupal core 7.34. [6]
>
> If you have configured a custom password.inc file for your Drupal 7 site you
> also need to make sure that it is not prone to the same denial of service
> vulnerability. See also the similar security advisory for the Drupal 6
> contributed Secure Password Hashes module: SA-CONTRIB-2014-113 [7]
>
> Also see the Drupal core [8] project page.
>
> -------- REPORTED BY
> ---------------------------------------------------------
>
> Session hijacking:
>
> * Aaron Averill [9]
>
> Denial of service:
>
> * Michael Cullum [10]
> * Javier Nieto [11]
> * Andrés Rojas Guerrero [12]
>
> -------- FIXED BY
> ------------------------------------------------------------
>
> Session hijacking:
>
> * Klaus Purer [13] of the Drupal Security Team
> * David Rothstein [14] of the Drupal Security Team
> * Peter Wolanin [15] of the Drupal Security Team
>
> Denial of service:
>
> * Klaus Purer [16] of the Drupal Security Team
> * Peter Wolanin [17] of the Drupal Security Team
> * Heine Deelstra [18] of the Drupal Security Team
> * Tom Phethean [19]
>
> -------- COORDINATED BY
> ------------------------------------------------------
>
> * The Drupal Security Team
>
> -------- CONTACT AND MORE INFORMATION
> ----------------------------------------
>
> The Drupal security team can be reached at security at drupal.org or via the
> contact form at https://www.drupal.org/contact [20].
>
> Learn more about the Drupal Security team and their policies [21], writing
> secure code for Drupal [22], and securing your site [23].
>
> Follow the Drupal Security Team on Twitter at
> https://twitter.com/drupalsecurity [24]
>
>
> [1] https://www.drupal.org/project/drupal
> [2] https://www.drupal.org/security-team/risk-levels
> [3] https://www.drupal.org/https-information
> [4] http://cve.mitre.org/
> [5] https://www.drupal.org/drupal-6.34-release-notes
> [6] https://www.drupal.org/drupal-7.34-release-notes
> [7] https://www.drupal.org/node/2378367
> [8] https://www.drupal.org/project/drupal
> [9] https://www.drupal.org/user/1317732
> [10] https://www.drupal.org/u/MichaelCu
> [11] https://www.drupal.org/u/jnietotn
> [12] https://www.drupal.org/u/c0r3dump3d
> [13] https://www.drupal.org/u/klausi
> [14] https://www.drupal.org/u/David_Rothstein
> [15] https://www.drupal.org/u/pwolanin
> [16] https://www.drupal.org/u/klausi
> [17] https://www.drupal.org/u/pwolanin
> [18] https://www.drupal.org/u/Heine
> [19] https://www.drupal.org/u/tsphethean
> [20] https://www.drupal.org/contact
> [21] https://www.drupal.org/security-team
> [22] https://www.drupal.org/writing-secure-code
> [23] https://www.drupal.org/security/secure-configuration
> [24] https://twitter.com/drupalsecurity
>
> _______________________________________________
> Security-news mailing list
> Security-news at drupal.org
> Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.esipfed.org/pipermail/esip-drupal/attachments/20141119/00ca4ea6/attachment.html>
More information about the Esip-drupal
mailing list