oss-sec mailing list archives
Pending CVE assignments for SA-CORE-2014-006?
From: Salvatore Bonaccorso <carnil () debian org>
Date: Thu, 20 Nov 2014 07:10:28 +0100
Hi I just wanted to ask back if the CVEs for SA-CORE-2014-006[1] were already requested (the advisory mention that they will be requested and added to the advisory). If so this will ease tracking the two issues. For reference they are:
Session hijacking (Drupal 6 and 7)
A specially crafted request can give a user access to another user's
session, allowing an attacker to hijack a random session.
This attack is known to be possible on certain Drupal 7 sites which
serve both HTTP and HTTPS content ("mixed-mode"), but it is possible
there are other attack vectors for both Drupal 6 and Drupal 7.
Denial of service (Drupal 7 only)
Drupal 7 includes a password hashing API to ensure that user
supplied passwords are not stored in plain text.
A vulnerability in this API allows an attacker to send specially
crafted requests resulting in CPU and memory exhaustion. This may
lead to the site becoming unavailable or unresponsive (denial of
service).
This vulnerability can be exploited by anonymous users.
They are fixed in Drupal7 7.34 and Drupal6 6.34. [1] https://www.drupal.org/SA-CORE-2014-006 Regards, Salvatore
Current thread:
- Pending CVE assignments for SA-CORE-2014-006? Salvatore Bonaccorso (Nov 19)
- Re: Pending CVE assignments for SA-CORE-2014-006? Gunnar Wolf (Nov 20)
- Re: Pending CVE assignments for SA-CORE-2014-006? cve-assign (Nov 20)
- Re: [security] Pending CVE assignments for SA-CORE-2014-006? Peter Wolanin (Nov 20)
- Re: [security] Pending CVE assignments for SA-CORE-2014-006? cve-assign (Nov 20)
- Re: [security] Pending CVE assignments for SA-CORE-2014-006? Peter Wolanin (Nov 20)