oss-sec mailing list archives
Re: CVE Request for Drupal Contributed Modules
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 20 Nov 2012 13:35:32 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/17/2012 10:29 PM, Forest Monsen wrote:
Hello! Here's a batch CVE request for a number of previously published and resolved issues with contributed modules for the Drupal project. As noted in http://www.openwall.com/lists/oss-security/2012/11/05/4, I have volunteered to coordinate our CVE requests. Forest Monsen, on behalf of the Drupal Security Team
Please see bottom of email for CVEs
- SA-CONTRIB-2012-146 - Simplenews Scheduler - Arbitrary code execution http://drupal.org/node/1789284 - SA-CONTRIB-2012-147 - FileField Sources - Cross Site Scripting (XSS) http://drupal.org/node/1789306 - SA-CONTRIB-2012-148 - Organic Groups - Access Bypass http://drupal.org/node/1796036 - SA-CONTRIB-2012-149 - Hostip - Cross Site Scripting (XSS) http://drupal.org/node/1802218 - SA-CONTRIB-2012-150 - Twitter Pull - Cross Site Scripting (XSS) http://drupal.org/node/1802230 - SA-CONTRIB-2012-151 - Commerce Extra Panes - Cross Site Request Forgery http://drupal.org/node/1802258 - SA-CONTRIB-2012-152 - Feeds - Access bypass http://drupal.org/node/1808832 - SA-CONTRIB-2012-153 - Mandrill - Information Disclosure http://drupal.org/node/1808846 - SA-CONTRIB-2012-154 - Basic webmail - Cross Site Scripting http://drupal.org/node/1808852 - SA-CONTRIB-2012-154 - Basic webmail - Information Disclosure http://drupal.org/node/1808852 - SA-CONTRIB-2012-155 - ShareThis - Cross Site Scripting (XSS) http://drupal.org/node/1808856 - SA-CONTRIB-2012-156 - Search API - Cross Site Request Forgery (CSRF) http://drupal.org/node/1815770 - SA-CONTRIB-2012-157 - Time Spent - Cross Site Scripting (XSS) http://drupal.org/node/1822066 - SA-CONTRIB-2012-157 - Time Spent - Cross Site Request Forgery (CSRF) http://drupal.org/node/1822066 - SA-CONTRIB-2012-157 - Time Spent - SQL Injection http://drupal.org/node/1822066 - SA-CONTRIB-2012-158 - MailChimp - Cross Site Scripting (XSS) http://drupal.org/node/1822166 - SA-CONTRIB-2012-159 - Password policy - Information disclosure http://drupal.org/node/1828340 - SA-CONTRIB-2012-160 - OM Maximenu - Cross Site Scripting (XSS) http://drupal.org/node/1834866 - SA-CONTRIB-2012-161 - Webform CiviCRM Integration - Access Bypass http://drupal.org/node/1834868 - SA-CONTRIB-2012-162 - RESTful Web Services - Cross site request forgery (CSRF) http://drupal.org/node/1840740 - SA-CONTRIB-2012-163 - User Read-Only - Permission escalation http://drupal.org/node/1840886 - SA-CONTRIB-2012-164 - Smiley module and Smileys module - Cross Site Scripting (XSS) http://drupal.org/node/1840892 - SA-CONTRIB-2012-165 - Chaos tool suite (ctools) - Cross Site Scripting (XSS) http://drupal.org/node/1840992
Please use the following: CVE-2012-5537 Drupal SA-CONTRIB-2012-146 CVE-2012-5538 Drupal SA-CONTRIB-2012-147 CVE-2012-5539 Drupal SA-CONTRIB-2012-148 CVE-2012-5540 Drupal SA-CONTRIB-2012-149 CVE-2012-5541 Drupal SA-CONTRIB-2012-150 CVE-2012-5542 Drupal SA-CONTRIB-2012-151 CVE-2012-5543 Drupal SA-CONTRIB-2012-152 CVE-2012-5544 Drupal SA-CONTRIB-2012-153 CVE-2012-5545 Drupal SA-CONTRIB-2012-155 XSS CVE-2012-5546 Drupal SA-CONTRIB-2012-155 Information Disclosure CVE-2012-5547 Drupal SA-CONTRIB-2012-156 CVE-2012-5548 Drupal SA-CONTRIB-2012-157 XSS CVE-2012-5549 Drupal SA-CONTRIB-2012-157 CSRF CVE-2012-5550 Drupal SA-CONTRIB-2012-157 SQL Injection CVE-2012-5551 Drupal SA-CONTRIB-2012-158 CVE-2012-5552 Drupal SA-CONTRIB-2012-159 CVE-2012-5553 Drupal SA-CONTRIB-2012-160 CVE-2012-5554 Drupal SA-CONTRIB-2012-161 CVE-2012-5556 Drupal SA-CONTRIB-2012-162 CVE-2012-5557 Drupal SA-CONTRIB-2012-163 CVE-2012-5558 Drupal SA-CONTRIB-2012-164 CVE-2012-5559 Drupal SA-CONTRIB-2012-165 - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQq+mUAAoJEBYNRVNeJnmTMTwP/0aGGaza6YomFJs55tOYR0Ro IbaqollVILrYeXOnAg9mVkeGAUJWkx1VNJh6K/SIhAWZF1Diy4evBuT+FwHjq5uy rKwARLQ8BS62qnxLfSX/cXwQpCxk1jzbV9voiqKJkcsNxPz+1bfQxcD+qIocOCrg zn4+RAtEdOeHCd0rL+nEnt2pQTk3EeSx7paGC6JhMtiFksXY06QdgKYZac3AbPII MsysTKPJso3RfDHJc7i0v4fiTUn7HgzIU8UUPdkhPdMJ2Y/HXxdxJnzRhgnNlNkp XZWc9ifLxHGlZlDBDspMjcpgX/4B90akeq2gtCKxZXlYZO31VOAv8eE2w9xKhOB6 v/0O6D+iT+4mThNjcSaQy1+3WVXyO2pG8zh/kMXWsWF0ZjSPgxQtuLzSpCFkDeu5 iDVmrKT6cquuC6ae8O2FAk9mhlSftE4noS5yNETzm5i2130YUM2KcabXjzJsutHo lhFppm5pLXUrhsf4ukW1dF1AuMqSER7+NZLJ4APOuctkAdLz5C/jRjlx3k9OzCM5 M/xcKQmgXLlvc5+LS6oqxgv9UL60DNpNrigfuqeMhSqQXKxhT0XJ8K4EW7lc/pJE gMODwy7LswyzwtQuZWkh0vMCqMoWDfL/8GdWxoEDrz2pTDYAwr0YsqV38+iwF+CC +ueqh5siyTISyiGn30hy =9r93 -----END PGP SIGNATURE-----
Current thread:
- CVE Request for Drupal Contributed Modules Joshua Brauer (Oct 03)
- Re: CVE Request for Drupal Contributed Modules Kurt Seifried (Oct 03)
- Re: CVE Request for Drupal Contributed Modules Joshua Brauer (Oct 03)
- Re: CVE Request for Drupal Contributed Modules Kurt Seifried (Oct 03)
- Re: CVE Request for Drupal Contributed Modules Joshua Brauer (Oct 03)
- <Possible follow-ups>
- CVE Request for Drupal Contributed Modules Joshua Brauer (Oct 04)
- Re: CVE Request for Drupal Contributed Modules Kurt Seifried (Oct 06)
- Re: CVE Request for Drupal Contributed Modules Steven M. Christey (Oct 31)
- Re: CVE Request for Drupal Contributed Modules Greg Knaddison (Nov 05)
- Re: CVE Request for Drupal Contributed Modules Kurt Seifried (Oct 06)
- Re: CVE Request for Drupal Contributed Modules Kurt Seifried (Oct 03)
- CVE Request for Drupal Contributed Modules Forest Monsen (Nov 17)
- Re: CVE Request for Drupal Contributed Modules Kurt Seifried (Nov 20)
- Re: CVE Request for Drupal Contributed Modules Forest Monsen (Nov 20)
- Re: CVE Request for Drupal Contributed Modules Kurt Seifried (Nov 25)
- Re: CVE Request for Drupal Contributed Modules Forest Monsen (Nov 26)
- Re: CVE Request for Drupal Contributed Modules Kurt Seifried (Nov 26)
- Re: CVE Request for Drupal Contributed Modules Kurt Seifried (Nov 20)
- Re: CVE request for Drupal contributed modules Kurt Seifried (Nov 28)