Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: <updates <at> fedoraproject.org>
Subject: [SECURITY] Fedora 19 Update: drupal6-context-3.3-1.fc19
Newsgroups: gmane.linux.redhat.fedora.package.announce
Date: Saturday 23rd November 2013 19:52:08 UTC (over 3 years ago)
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2013-21231
2013-11-14 02:06:24
--------------------------------------------------------------------------------

Name        : drupal6-context
Product     : Fedora 19
Version     : 3.3
Release     : 1.fc19
URL         : http://drupal.org/project/context
Summary     : Context Module for Drupal6
Description :
Context allows you to manage contextual conditions and reactions for
different portions of your site.

--------------------------------------------------------------------------------
Update Information:

CVE-2013-4445/CVE-2013-4446

Context, a drupal module, which allows you to manage contextual conditions
and reactions for different portions of your site, was found to have two
severe security issues.

First issue is that the module allows execution of PHP code via
manipulation of a URL argument in a path used for AJAX operations when
running in a configuration without a json_decode function provided by PHP
or the PECL JSON library. The vulnerability is

This vulnerability is only exploitable on a server running a PHP version
prior to 5.2 that does not have the json library installed.

Second issue is that the module uses Drupal's token scheme to restrict
access to the json rendering of a block. This control mechanism is
insufficient as Drupal's token scheme is designed to provide security
between two different sessions (or a session and a non authenticated user)
and is not designed to provide security within a session. The vulnerability
is mitigated by needing blocks that have sensitive information.

The suggested fix is to update Drupal6-context to 6.x-3.2 and
Drupal7-context to 7.x-3.0.

References:
http://seclists.org/fulldisclosure/2013/Oct/118
https://drupal.org/node/2113317
--------------------------------------------------------------------------------
ChangeLog:

* Wed Nov 13 2013 Jon Ciesla  - 3.3-1
- Update to latest, SA-CONTRIB-2013-079, BZ 1020780,
- BZ 1020783, BZ 1020256.
* Sat Aug  3 2013 Fedora Release Engineering
 - 3.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1020780 - drupal6-context: drupal-context: multiple
vulnerabilities [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1020780
  [ 2 ] Bug #1020783 - drupal6-context: drupal-context: multiple
vulnerabilities [epel-6]
        https://bugzilla.redhat.com/show_bug.cgi?id=1020783
  [ 3 ] Bug #1020256 - drupal6-context-3.3 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=1020256
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update drupal6-context' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on
the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/package-announce
 
CD: 13ms