svn commit: r520540 - head/security/vuxml
Jose Alonso Cardenas Marquez
acm at FreeBSD.org
Sat Dec 21 02:28:27 UTC 2019
Author: acm
Date: Sat Dec 21 02:28:27 2019
New Revision: 520540
URL: https://svnweb.freebsd.org/changeset/ports/520540
Log:
- Add drupal[78] entry
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Sat Dec 21 02:01:52 2019 (r520539)
+++ head/security/vuxml/vuln.xml Sat Dec 21 02:28:27 2019 (r520540)
@@ -58,40 +58,61 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
- <vuln vid="ed8cbad5-21a8-11ea-9b6d-901b0e934d69">
- <topic>py-matrix-synapse -- multiple vulnerabilities</topic>
+ <vuln vid="3da0352f-2397-11ea-966e-000ffec0b3e1">
+ <topic>drupal -- Drupal Core - Multiple Vulnerabilities</topic>
<affects>
<package>
- <name>py35-matrix-synapse</name>
- <name>py36-matrix-synapse</name>
- <name>py37-matrix-synapse</name>
- <range><lt>1.7.1</lt></range>
+ <name>drupal7</name>
+ <range><lt>7.69</lt></range>
</package>
+ <package>
+ <name>drupal8</name>
+ <range><lt>8.8.1</lt></range>
+ </package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>Matrix developers report:</p>
- <blockquote cite="https://github.com/matrix-org/synapse/releases/tag/v1.7.1">
- <p>The [synapse 1.7.1] release includes several security fixes as well
- as a fix to a bug exposed by the security fixes. All previous releases
- of Synapse are affected. Administrators are encouraged to upgrade as
- soon as possible.</p>
- <ul>
- <li>Fix a bug which could cause room events to be incorrectly authorized
- using events from a different room.</li>
- <li>Fix a bug causing responses to the /context client endpoint to not
- use the pruned version of the event.</li>
- <li>Fix a cause of state resets in room versions 2 onwards.</li>
- </ul>
+ <p>Drupal Security Team reports:</p>
+ <blockquote cite="https://www.drupal.org/sa-core-2019-009">
+ <p>A visit to install.php can cause cached data to become corrupted.
+ This could cause a site to be impaired until caches are rebuilt.</p>
</blockquote>
+ <blockquote cite="https://www.drupal.org/sa-core-2019-010">
+ <p>Drupal 8 core's file_save_upload() function does not strip the
+ leading and trailing dot ('.') from filenames, like Drupal 7 did.
+ Users with the ability to upload files with any extension in
+ conjunction with contributed modules may be able to use this to
+ upload system files such as .htaccess in order to bypass protections
+ afforded by Drupal's default .htaccess file. After this fix,
+ file_save_upload() now trims leading and trailing dots from filenames.
+ </p>
+ </blockquote>
+ <blockquote cite="https://www.drupal.org/sa-core-2019-011">
+ <p>The Media Library module has a security vulnerability whereby it
+ doesn't sufficiently restrict access to media items in certain
+ configurations.
+ </p>
+ </blockquote>
+ <blockquote cite="https://www.drupal.org/sa-core-2019-012">
+ <p>The Drupal project uses the third-party library Archive_Tar, which
+ has released a security-related feature that impacts some Drupal
+ configurations. Multiple vulnerabilities are possible if Drupal is
+ configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and
+ processes them. The latest versions of Drupal update Archive_Tar to
+ 1.4.9 to mitigate the file processing vulnerabilities.
+ </p>
+ </blockquote>
</body>
</description>
<references>
- <url>https://github.com/matrix-org/synapse/releases/tag/v1.7.1</url>
+ <url>https://www.drupal.org/sa-core-2019-009</url>
+ <url>https://www.drupal.org/sa-core-2019-010</url>
+ <url>https://www.drupal.org/sa-core-2019-011</url>
+ <url>https://www.drupal.org/sa-core-2019-012</url>
</references>
<dates>
<discovery>2019-12-18</discovery>
- <entry>2019-12-18</entry>
+ <entry>2019-12-21</entry>
</dates>
</vuln>
More information about the svn-ports-all
mailing list