Date: Thu, 25 Feb 2016 15:36:20 +0000 (UTC) From: Mark Felder <feld@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r409527 - head/security/vuxml Message-ID: <201602251536.u1PFaKtr084654@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: feld Date: Thu Feb 25 15:36:20 2016 New Revision: 409527 URL: https://svnweb.freebsd.org/changeset/ports/409527 Log: Document drupal vulnerabilities PR: 207467 Security: https://www.drupal.org/SA-CORE-2016-001 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Feb 25 15:27:43 2016 (r409526) +++ head/security/vuxml/vuln.xml Thu Feb 25 15:36:20 2016 (r409527) @@ -58,6 +58,60 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="59a0af97-dbd4-11e5-8fa8-14dae9d210b8"> + <topic>drupal -- multiple vulnerabilities</topic> + <affects> + <package> + <name>drupal6</name> + <range><lt>6.38</lt></range> + </package> + <package> + <name>drupal7</name> + <range><lt>7.43</lt></range> + </package> + <package> + <name>drupal8</name> + <range><lt>8.0.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Drupal Security Team reports:</p> + <blockquote cite="https://www.drupal.org/SA-CORE-2016-001">; + <ul> + <li><p>File upload access bypass and denial of service (File + module - Drupal 7 and 8 - Moderately Critical)</p></li> + <li><p>Brute force amplification attacks via XML-RPC (XML-RPC + server - Drupal 6 and 7 - Moderately Critical)</p></li> + <li><p>Open redirect via path manipulation (Base system - + Drupal 6, 7 and 8 - Moderately Critical) </p></li> + <li><p>Form API ignores access restrictions on submit buttons + (Form API - Drupal 6 - Critical)</p></li> + <li><p>HTTP header injection using line breaks (Base system - + Drupal 6 - Moderately Critical)</p></li> + <li><p>Open redirect via double-encoded 'destination' + parameter (Base system - Drupal 6 - Moderately Critical)</p></li> + <li><p>Reflected file download vulnerability (System module - + Drupal 6 and 7 - Moderately Critical)</p></li> + <li><p>Saving user accounts can sometimes grant the user all + roles (User module - Drupal 6 and 7 - Less Critical)</p></li> + <li><p>Email address can be matched to an account (User module + - Drupal 7 and 8 - Less Critical)</p></li> + <li><p>Session data truncation can lead to unserialization of + user provided data (Base system - Drupal 6 - Less Critical)</p></li> + </ul> + </blockquote> + </body> + </description> + <references> + <url>https://www.drupal.org/SA-CORE-2016-001</url>; + </references> + <dates> + <discovery>2016-02-24</discovery> + <entry>2016-02-25</entry> + </dates> + </vuln> + <vuln vid="7e01df39-db7e-11e5-b937-00e0814cab4e"> <topic>jenkins -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201602251536.u1PFaKtr084654>