You are here
Home > Preporuke > Nadogradnja za kritičnu ranjivost u CMS-u Drupal

Nadogradnja za kritičnu ranjivost u CMS-u Drupal

by Marina Dimic Vugec - 0

View online: https://www.drupal.org/sa-core-2019-006

Project: Drupal core [1]
Date: 2019-April-17
Security risk: *Moderately critical* 10∕25
AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Cross Site Scripting

Description:
The jQuery project released version 3.4.0, and as part of that, disclosed a
security vulnerability that affects all prior versions. As described in their
release notes [3]:

>jQuery 3.4.0 includes a fix for some unintended behavior when using
>jQuery.extend(true, {}, …). If an unsanitized source object contained an
>enumerable __proto__ property, it could extend the native Object.prototype.
>This fix is included in jQuery 3.4.0, but patch diffs exist to patch
>previous jQuery versions.
>
It’s possible that this vulnerability is exploitable with some Drupal
modules. As a precaution, this Drupal security release backports the fix to
jQuery.extend(), without making any other changes to the jQuery version that
is included in Drupal core (3.2.1 for Drupal 8 and 1.4.4 for Drupal 7) or
running on the site via some other module such as jQuery Update [4].

Solution:
Install the latest version:

* If you are using Drupal 8.6, update to Drupal 8.6.15 [5].
* If you are using Drupal 8.5 or earlier, update to Drupal 8.5.15 [6].
* If you are using Drupal 7, update to Drupal 7.66 [7].

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive
security coverage.

Also see the Drupal core [8] project page.

…. Additional information

All advisories released today:

* SA-CORE-2019-005 [9]
* SA-CORE-2019-006 [10]

Updating to the latest Drupal core release will apply the fixes for all the
above advisories.

Reported By:
* dtv_rb [11]
* Jess [12] of the Drupal Security Team

Fixed By:
* Alex Bronstein [13] of the Drupal Security Team
* Lee Rowlands [14] of the Drupal Security Team
* Jess [15] of the Drupal Security Team
* Lauri Eskola [16]
* Greg Knaddison [17] of the Drupal Security Team
* Neil Drumm [18] of the Drupal Security Team
* Samuel Mortenson [19] of the Drupal Security Team

[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
[4] https://www.drupal.org/project/jquery_update
[5] https://www.drupal.org/project/drupal/releases/8.6.15
[6] https://www.drupal.org/project/drupal/releases/8.5.15
[7] https://www.drupal.org/project/drupal/releases/7.66
[8] https://www.drupal.org/project/drupal
[9] https://www.drupal.org/sa-core-2019-005
[10] https://www.drupal.org/sa-core-2019-006
[11] https://www.drupal.org/user/3528196
[12] https://www.drupal.org/user/65776
[13] https://www.drupal.org/user/78040
[14] https://www.drupal.org/user/395439
[15] https://www.drupal.org/user/65776
[16] https://www.drupal.org/user/1078742
[17] https://www.drupal.org/user/36762
[18] https://www.drupal.org/user/3064
[19] https://www.drupal.org/user/2582268

_______________________________________________
Security-news mailing list
Security-news@drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

Marina Dimic Vugec
Top
More in Preporuke
Sigurnosni nedostaci programskog paketa rh-maven35-jackson-databind

Otkriveni su sigurnosni nedostaci u programskom paketu rh-maven35-jackson-databind za operacijski sustav RHEL. Otkriveni nedostaci potencijalnim napadačima omogućuju otkrivanje osjetljivih informacija,...

Close