oss-sec mailing list archives

Re: CVE Request -- Drupal 7 -- Access bypass in node listings (SA-CORE-2011-002)

From: Josh Bressers <bressers () redhat com>
Date: Tue, 12 Jul 2011 16:07:09 -0400 (EDT)

Please use CVE-2011-2687.

Thanks.

-- 
    JB


----- Original Message -----

Hello Josh, Steve, vendors,

this:
[1] http://drupal.org/node/1204582

From [1]: Access bypass in node listings:
=========================================

Listings showing nodes but not JOINing the node table show all
nodes regardless of restrictions imposed by the node_access system.
In core, this affects the taxonomy and the forum subsystem.

...

Versions affected:
==================

Drupal 7.0, 7.1 and 7.2.


References:
------------
[2] https://bugzilla.redhat.com/show_bug.cgi?id=717874
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=633385

doesn't seem to have a CVE identifier allocated yet. Could you
allocate one?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request -- Drupal 7 -- Access bypass in node listings (SA-CORE-2011-002) Jan Lieskovsky (Jul 11)
- Re: CVE Request -- Drupal 7 -- Access bypass in node listings (SA-CORE-2011-002) Josh Bressers (Jul 12)