Transition Technology: Ticket Query http://localhost:8080/trac/query?status=!closed&reporter=paul&order=priority Support and issues tracking for the Transition Network Web Project. en-US Transition Technology /trac/chrome/site/TransitionNetwork-Logo-Web-Small.jpg http://localhost:8080/trac/query?status=!closed&reporter=paul&order=priority Trac 0.12.5 http://localhost:8080/trac/ticket/690 http://localhost:8080/trac/ticket/690 #690: Paul learning the ways of the force. Thu, 20 Feb 2014 15:00:41 GMT paul <p> I'm not a jedi yet </p> <p> #### Transition Network </p> <p> Week ending 16 February Monday (0,45) Phone call | Emails (not issues) | Creating a test site on Aeigr Tuesday (0.45) Reading Wiki pages | Setting up local server (Generated notes for WIki) Wednesday (0.45) Reading wiki pages: setting up a platform / cloning a stage site. Friday (3.00) Reading wiki pages , listening to Jim's talks, Emails (not issues). (Generated notes for WIki for setting up a local server) </p> <p> Finished reading wiki. I'll re-read these as required on my own time going forward. </p> <p> Week ending 23 February Monday (0,15) Emails (not issues) (Mailing list) Thursday (0,30) Phone call / Emails (not issues) </p> <p> Total 6, 00 hours </p> Results http://localhost:8080/trac/ticket/690#changelog http://localhost:8080/trac/ticket/701 http://localhost:8080/trac/ticket/701 #701: Emails & Telephone calls Tue, 18 Mar 2014 09:38:24 GMT paul Results http://localhost:8080/trac/ticket/701#changelog http://localhost:8080/trac/ticket/711 http://localhost:8080/trac/ticket/711 #711: Emails & Telephone calls Tue, 01 Apr 2014 13:47:56 GMT paul Results http://localhost:8080/trac/ticket/711#changelog http://localhost:8080/trac/ticket/758 http://localhost:8080/trac/ticket/758 #758: * Advisory ID: DRUPAL-SA-CORE-2014-003 Wed, 16 Jul 2014 21:55:29 GMT paul <p> View online: <a class="ext-link" href="https://www.drupal.org/SA-CORE-2014-003"><span class="icon">​</span>https://www.drupal.org/SA-CORE-2014-003</a> </p> <ul><li>Advisory ID: DRUPAL-SA-CORE-2014-003 </li><li>Project: Drupal core <a class="missing changeset" title="No default repository defined">[1]</a> </li><li>Version: 6.x, 7.x </li><li>Date: 2014-July-16 </li><li>Security risk: Critical <a class="missing changeset" title="No default repository defined">[2]</a> </li><li>Exploitable from: Remote </li><li>Vulnerability: Multiple vulnerabilities </li></ul><hr /> <hr /> <p> Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7. </p> <p> .... Denial of service with malicious HTTP Host header (Base system - Drupal 6 and 7 - Critical) </p> <p> Drupal core's multisite feature dynamically determines which configuration file to use based on the HTTP Host header. </p> <p> The HTTP Host header validation does not sufficiently check maliciously-crafted header values, thereby exposing a denial of service vulnerability. </p> <p> .... Access bypass (File module - Drupal 7 - Critical) </p> <p> The File module included in Drupal 7 core allows attaching files to pieces of content. The module doesn't sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to private files. </p> <p> This vulnerability is mitigated by the fact that the attacker must have permission to create or edit content with a file field. </p> <p> Note: The Drupal 6 <a class="missing wiki">FileField?</a> <a class="missing changeset" title="No default repository defined">[3]</a> module is affected by a similar issue (see SA-CONTRIB-2014-071 - <a class="missing wiki">FileField?</a> - Access bypass <a class="missing changeset" title="No default repository defined">[4]</a>) and requires an update to the current security release of Drupal 6 core in order for the fix released there to work correctly. However, Drupal 6 core itself is not directly affected. </p> <p> .... Cross-site scripting (Form API option groups - Drupal 6 and 7 - Moderately critical) </p> <p> A cross-site scripting vulnerability was found due to Drupal's form API failing to sanitize option group labels in select elements. This vulnerability affects Drupal 6 core directly, and likely affects Drupal 7 forms provided by contributed or custom modules. </p> <p> This vulnerability is mitigated by the fact that it requires the "administer taxonomy" permission to exploit in Drupal 6 core, and there is no known exploit within Drupal 7 core itself. </p> <p> .... Cross-site scripting (Ajax system - Drupal 7 - Moderately critical) </p> <p> A reflected cross-site scripting vulnerability was found in certain forms containing a combination of an Ajax-enabled textfield (for example, an autocomplete field) and a file field. </p> <p> This vulnerability is mitigated by the fact that an attacker can only trigger the attack in a limited set of circumstances, usually requiring custom or contributed modules. </p> <hr /> <hr /> <ul><li>/A CVE identifier <a class="missing changeset" title="No default repository defined">[5]</a> will be requested, and added upon issuance, in </li></ul><p> accordance with Drupal Security Team processes./ </p> <hr /> <hr /> <ul><li>Drupal core 6.x versions prior to 6.32. </li><li>Drupal core 7.x versions prior to 7.29. </li></ul><hr /> <hr /> <p> Install the latest version: </p> <ul><li>If you use Drupal 6.x, upgrade to Drupal core 6.32. <a class="missing changeset" title="No default repository defined">[6]</a> </li><li>If you use Drupal 7.x, upgrade to Drupal core 7.29. <a class="missing changeset" title="No default repository defined">[7]</a> </li></ul><p> Also see the Drupal core <a class="missing changeset" title="No default repository defined">[8]</a> project page. </p> <hr /> <hr /> <ul><li>The denial of service vulnerability using malicious HTTP Host headers was </li></ul><p> reported by Régis Leroy <a class="missing changeset" title="No default repository defined">[9]</a>. </p> <ul><li>The access bypass vulnerability in the File module was reported by Ivan </li></ul><p> Ch <a class="missing changeset" title="No default repository defined">[10]</a>. </p> <ul><li>The cross-site scripting vulnerability with Form API option groups was </li></ul><p> reported by Károly Négyesi <a class="missing changeset" title="No default repository defined">[11]</a>. </p> <ul><li>The cross-site scripting vulnerability in the Ajax system was reported by </li></ul><p> mani22test <a class="missing changeset" title="No default repository defined">[12]</a>. </p> <hr /> <hr /> <ul><li>The denial of service vulnerability using malicious HTTP Host headers was </li></ul><p> fixed by Régis Leroy <a class="missing changeset" title="No default repository defined">[13]</a>, and by Klaus Purer <a class="missing changeset" title="No default repository defined">[14]</a> of the Drupal Security Team. </p> <ul><li>The access bypass vulnerability in the File module was fixed by Nate Haug </li></ul><p> <a class="missing changeset" title="No default repository defined">[15]</a> and Ivan Ch <a class="missing changeset" title="No default repository defined">[16]</a>, and by Drupal Security Team members David Rothstein <a class="missing changeset" title="No default repository defined">[17]</a>, Heine Deelstra <a class="missing changeset" title="No default repository defined">[18]</a> and David Snopek <a class="missing changeset" title="No default repository defined">[19]</a>. </p> <ul><li>The cross-site scripting vulnerability with Form API option groups was </li></ul><p> fixed by Greg Knaddison <a class="missing changeset" title="No default repository defined">[20]</a> of the Drupal Security Team. </p> <ul><li>The cross-site scripting vulnerability in the Ajax system was fixed by </li></ul><p> Neil Drumm <a class="missing changeset" title="No default repository defined">[21]</a> of the Drupal Security Team. </p> <hr /> <hr /> <ul><li>The Drupal Security Team <a class="missing changeset" title="No default repository defined">[22]</a> </li></ul><hr /> <hr /> <p> The Drupal security team can be reached at security at drupal.org or via the contact form at <a class="ext-link" href="http://drupal.org/contact"><span class="icon">​</span>http://drupal.org/contact</a> <a class="missing changeset" title="No default repository defined">[23]</a>. </p> <p> Learn more about the Drupal Security team and their policies <a class="missing changeset" title="No default repository defined">[24]</a>, writing secure code for Drupal <a class="missing changeset" title="No default repository defined">[25]</a>, and securing your site <a class="missing changeset" title="No default repository defined">[26]</a>. </p> <p> Follow the Drupal Security Team on Twitter at <a class="ext-link" href="https://twitter.com/drupalsecurity"><span class="icon">​</span>https://twitter.com/drupalsecurity</a> <a class="missing changeset" title="No default repository defined">[27]</a> </p> <p> <a class="missing changeset" title="No default repository defined">[1]</a> <a class="ext-link" href="http://drupal.org/project/drupal"><span class="icon">​</span>http://drupal.org/project/drupal</a> <a class="missing changeset" title="No default repository defined">[2]</a> <a class="ext-link" href="http://drupal.org/security-team/risk-levels"><span class="icon">​</span>http://drupal.org/security-team/risk-levels</a> <a class="missing changeset" title="No default repository defined">[3]</a> <a class="ext-link" href="https://www.drupal.org/project/filefield"><span class="icon">​</span>https://www.drupal.org/project/filefield</a> <a class="missing changeset" title="No default repository defined">[4]</a> <a class="ext-link" href="https://www.drupal.org/node/2304561"><span class="icon">​</span>https://www.drupal.org/node/2304561</a> <a class="missing changeset" title="No default repository defined">[5]</a> <a class="ext-link" href="http://cve.mitre.org/"><span class="icon">​</span>http://cve.mitre.org/</a> <a class="missing changeset" title="No default repository defined">[6]</a> <a class="ext-link" href="https://www.drupal.org/drupal-6.32-release-notes"><span class="icon">​</span>https://www.drupal.org/drupal-6.32-release-notes</a> <a class="missing changeset" title="No default repository defined">[7]</a> <a class="ext-link" href="https://www.drupal.org/drupal-7.29-release-notes"><span class="icon">​</span>https://www.drupal.org/drupal-7.29-release-notes</a> <a class="missing changeset" title="No default repository defined">[8]</a> <a class="ext-link" href="http://drupal.org/project/drupal"><span class="icon">​</span>http://drupal.org/project/drupal</a> <a class="missing changeset" title="No default repository defined">[9]</a> <a class="ext-link" href="https://www.drupal.org/user/1367862"><span class="icon">​</span>https://www.drupal.org/user/1367862</a> <a class="missing changeset" title="No default repository defined">[10]</a> <a class="ext-link" href="https://www.drupal.org/user/556138"><span class="icon">​</span>https://www.drupal.org/user/556138</a> <a class="missing changeset" title="No default repository defined">[11]</a> <a class="ext-link" href="https://www.drupal.org/u/chx"><span class="icon">​</span>https://www.drupal.org/u/chx</a> <a class="missing changeset" title="No default repository defined">[12]</a> <a class="ext-link" href="https://www.drupal.org/user/2844779"><span class="icon">​</span>https://www.drupal.org/user/2844779</a> <a class="missing changeset" title="No default repository defined">[13]</a> <a class="ext-link" href="https://www.drupal.org/user/1367862"><span class="icon">​</span>https://www.drupal.org/user/1367862</a> <a class="missing changeset" title="No default repository defined">[14]</a> <a class="ext-link" href="https://www.drupal.org/user/262198"><span class="icon">​</span>https://www.drupal.org/user/262198</a> <a class="missing changeset" title="No default repository defined">[15]</a> <a class="ext-link" href="https://www.drupal.org/user/35821"><span class="icon">​</span>https://www.drupal.org/user/35821</a> <a class="missing changeset" title="No default repository defined">[16]</a> <a class="ext-link" href="https://www.drupal.org/user/556138"><span class="icon">​</span>https://www.drupal.org/user/556138</a> <a class="missing changeset" title="No default repository defined">[17]</a> <a class="ext-link" href="https://www.drupal.org/user/124982"><span class="icon">​</span>https://www.drupal.org/user/124982</a> <a class="missing changeset" title="No default repository defined">[18]</a> <a class="ext-link" href="https://www.drupal.org/user/17943"><span class="icon">​</span>https://www.drupal.org/user/17943</a> <a class="missing changeset" title="No default repository defined">[19]</a> <a class="ext-link" href="https://www.drupal.org/user/266527"><span class="icon">​</span>https://www.drupal.org/user/266527</a> <a class="missing changeset" title="No default repository defined">[20]</a> <a class="ext-link" href="https://www.drupal.org/u/greggles"><span class="icon">​</span>https://www.drupal.org/u/greggles</a> <a class="missing changeset" title="No default repository defined">[21]</a> <a class="ext-link" href="https://www.drupal.org/u/drumm"><span class="icon">​</span>https://www.drupal.org/u/drumm</a> <a class="missing changeset" title="No default repository defined">[22]</a> <a class="ext-link" href="http://drupal.org/security-team"><span class="icon">​</span>http://drupal.org/security-team</a> <a class="missing changeset" title="No default repository defined">[23]</a> <a class="ext-link" href="http://drupal.org/contact"><span class="icon">​</span>http://drupal.org/contact</a> <a class="missing changeset" title="No default repository defined">[24]</a> <a class="ext-link" href="http://drupal.org/security-team"><span class="icon">​</span>http://drupal.org/security-team</a> <a class="missing changeset" title="No default repository defined">[25]</a> <a class="ext-link" href="http://drupal.org/writing-secure-code"><span class="icon">​</span>http://drupal.org/writing-secure-code</a> <a class="missing changeset" title="No default repository defined">[26]</a> <a class="ext-link" href="http://drupal.org/security/secure-configuration"><span class="icon">​</span>http://drupal.org/security/secure-configuration</a> <a class="missing changeset" title="No default repository defined">[27]</a> <a class="ext-link" href="https://twitter.com/drupalsecurity"><span class="icon">​</span>https://twitter.com/drupalsecurity</a> </p> <p> <span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline">_ Security-news mailing list Security-news@… Unsubscribe at <a class="ext-link" href="https://lists.drupal.org/mailman/listinfo/security-news"><span class="icon">​</span>https://lists.drupal.org/mailman/listinfo/security-news</a> </span></p> Results http://localhost:8080/trac/ticket/758#changelog http://localhost:8080/trac/ticket/759 http://localhost:8080/trac/ticket/759 #759: [Security-news] SA-CONTRIB-2014-071 - FileField - Access bypass Wed, 16 Jul 2014 21:59:46 GMT paul <p> View online: <a class="ext-link" href="https://www.drupal.org/node/2304561"><span class="icon">​</span>https://www.drupal.org/node/2304561</a> </p> <ul><li>Advisory ID: DRUPAL-SA-CONTRIB-2014-071 </li><li>Project: <a class="missing wiki">FileField?</a> <a class="missing changeset" title="No default repository defined">[1]</a> (third-party module) </li><li>Version: 6.x </li><li>Date: 2014-July-16 </li><li>Security risk: Critical <a class="missing changeset" title="No default repository defined">[2]</a> </li><li>Exploitable from: Remote </li><li>Vulnerability: Access bypass </li></ul><hr /> <hr /> <p> The <a class="missing wiki">FileField?</a> module enables you to define and use fields that contain files. </p> <p> The module doesn't sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to private files. </p> <p> This vulnerability is mitigated by the fact that the attacker must have permission to create or edit content with a file field. </p> <hr /> <hr /> <ul><li>/A CVE identifier <a class="missing changeset" title="No default repository defined">[3]</a> will be requested, and added upon issuance, in </li></ul><p> accordance with Drupal Security Team processes./ </p> <hr /> <hr /> <ul><li><a class="missing wiki">FileField?</a> 6.x-3.x versions prior to 6.x-3.13. </li></ul><p> Drupal core is not affected. If you do not use the contributed <a class="missing wiki">FileField?</a> <a class="missing changeset" title="No default repository defined">[4]</a> module, there is nothing you need to do. </p> <hr /> <hr /> <ul><li>If you use the <a class="missing wiki">FileField?</a> module for Drupal 6.x, upgrade to Filefield </li></ul><p> 6.x-3.13 <a class="missing changeset" title="No default repository defined">[5]</a>, and also update to Drupal core 6.32 <a class="missing changeset" title="No default repository defined">[6]</a> (see SA-CORE-2014-003 <a class="missing changeset" title="No default repository defined">[7]</a>). </p> <hr /> <hr /> <ul><li>Ivan Ch <a class="missing changeset" title="No default repository defined">[8]</a> </li></ul><hr /> <hr /> <ul><li>Nate Haug <a class="missing changeset" title="No default repository defined">[9]</a> </li><li>Ivan Ch <a class="missing changeset" title="No default repository defined">[10]</a> </li><li>David Snopek <a class="missing changeset" title="No default repository defined">[11]</a> of the Drupal Security Team. </li></ul><hr /> <hr /> <p> The Drupal security team can be reached at security at drupal.org or via the contact form at <a class="ext-link" href="http://drupal.org/contact"><span class="icon">​</span>http://drupal.org/contact</a> <a class="missing changeset" title="No default repository defined">[12]</a>. </p> <p> Learn more about the Drupal Security team and their policies <a class="missing changeset" title="No default repository defined">[13]</a>, writing secure code for Drupal <a class="missing changeset" title="No default repository defined">[14]</a>, and securing your site <a class="missing changeset" title="No default repository defined">[15]</a>. </p> <p> Follow the Drupal Security Team on Twitter at <a class="ext-link" href="https://twitter.com/drupalsecurity"><span class="icon">​</span>https://twitter.com/drupalsecurity</a> <a class="missing changeset" title="No default repository defined">[16]</a> </p> <p> <a class="missing changeset" title="No default repository defined">[1]</a> <a class="ext-link" href="https://www.drupal.org/project/filefield"><span class="icon">​</span>https://www.drupal.org/project/filefield</a> <a class="missing changeset" title="No default repository defined">[2]</a> <a class="ext-link" href="http://drupal.org/security-team/risk-levels"><span class="icon">​</span>http://drupal.org/security-team/risk-levels</a> <a class="missing changeset" title="No default repository defined">[3]</a> <a class="ext-link" href="http://cve.mitre.org/"><span class="icon">​</span>http://cve.mitre.org/</a> <a class="missing changeset" title="No default repository defined">[4]</a> <a class="ext-link" href="http://drupal.org/project/filefield"><span class="icon">​</span>http://drupal.org/project/filefield</a> <a class="missing changeset" title="No default repository defined">[5]</a> <a class="ext-link" href="https://www.drupal.org/node/2304517"><span class="icon">​</span>https://www.drupal.org/node/2304517</a> <a class="missing changeset" title="No default repository defined">[6]</a> <a class="ext-link" href="https://www.drupal.org/drupal-6.32-release-notes"><span class="icon">​</span>https://www.drupal.org/drupal-6.32-release-notes</a> <a class="missing changeset" title="No default repository defined">[7]</a> <a class="ext-link" href="https://www.drupal.org/SA-CORE-2014-003"><span class="icon">​</span>https://www.drupal.org/SA-CORE-2014-003</a> <a class="missing changeset" title="No default repository defined">[8]</a> <a class="ext-link" href="https://www.drupal.org/user/556138"><span class="icon">​</span>https://www.drupal.org/user/556138</a> <a class="missing changeset" title="No default repository defined">[9]</a> <a class="ext-link" href="https://www.drupal.org/user/35821"><span class="icon">​</span>https://www.drupal.org/user/35821</a> <a class="missing changeset" title="No default repository defined">[10]</a> <a class="ext-link" href="https://www.drupal.org/user/556138"><span class="icon">​</span>https://www.drupal.org/user/556138</a> <a class="missing changeset" title="No default repository defined">[11]</a> <a class="ext-link" href="https://www.drupal.org/user/266527"><span class="icon">​</span>https://www.drupal.org/user/266527</a> <a class="missing changeset" title="No default repository defined">[12]</a> <a class="ext-link" href="http://drupal.org/contact"><span class="icon">​</span>http://drupal.org/contact</a> <a class="missing changeset" title="No default repository defined">[13]</a> <a class="ext-link" href="http://drupal.org/security-team"><span class="icon">​</span>http://drupal.org/security-team</a> <a class="missing changeset" title="No default repository defined">[14]</a> <a class="ext-link" href="http://drupal.org/writing-secure-code"><span class="icon">​</span>http://drupal.org/writing-secure-code</a> <a class="missing changeset" title="No default repository defined">[15]</a> <a class="ext-link" href="http://drupal.org/security/secure-configuration"><span class="icon">​</span>http://drupal.org/security/secure-configuration</a> <a class="missing changeset" title="No default repository defined">[16]</a> <a class="ext-link" href="https://twitter.com/drupalsecurity"><span class="icon">​</span>https://twitter.com/drupalsecurity</a> </p> <p> <span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline">_ Security-news mailing list Security-news@… Unsubscribe at <a class="ext-link" href="https://lists.drupal.org/mailman/listinfo/security-news"><span class="icon">​</span>https://lists.drupal.org/mailman/listinfo/security-news</a> </span></p> Results http://localhost:8080/trac/ticket/759#changelog http://localhost:8080/trac/ticket/789 http://localhost:8080/trac/ticket/789 #789: SA-CONTRIB-2014-088 - Mollom - Cross-site scripting (XSS) Mon, 22 Sep 2014 13:09:48 GMT paul <p> View online: <a class="ext-link" href="https://www.drupal.org/node/2340029"><span class="icon">​</span>https://www.drupal.org/node/2340029</a> </p> <ul><li>Advisory ID: DRUPAL-SA-CONTRIB-2014-088 </li><li>Project: Mollom <a class="missing changeset" title="No default repository defined">[1]</a> (third-party module) </li><li>Version: 6.x, 7.x </li><li>Date: 2014-September-17 </li><li>Security risk: 11/25 ( Moderately Critical) </li></ul><p> AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon <a class="missing changeset" title="No default repository defined">[2]</a> </p> <ul><li>Vulnerability: Cross Site Scripting </li></ul><hr /> <hr /> <p> Mollom is an "intelligent" content moderation web service which determines if a post is potentially spam; not only based on the posted content, but also on the past activity and reputation of the poster across multiple sites. </p> <p> Mollom offers a feature to report submitted content as inappropriate which allows end users to indicate that a piece of site content is objectionable or out of place. When reporting content, the content title is not sufficiently sanitized to prevent cross-site scripting (XSS) attacks. </p> <p> This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content and the content type must be enabled for "Flag as Inappropriate" within the Mollom advanced configuration settings (which is not the default setting). </p> <hr /> <hr /> <ul><li>/A CVE identifier <a class="missing changeset" title="No default repository defined">[3]</a> will be requested, and added upon issuance, in </li></ul><p> accordance with Drupal Security Team processes./ </p> <hr /> <hr /> <ul><li>Mollom 6.x-2.x versions from 6.x-2.7 to 6.x-2.10 </li><li>Mollom 7.x-2.x versions from 7.x-2.9 to 7.x-2.10 </li></ul><p> Drupal core is not affected. If you do not use the contributed Mollom <a class="missing changeset" title="No default repository defined">[4]</a> module, there is nothing you need to do. </p> <hr /> <hr /> <p> Install the latest version: </p> <ul><li>If you use the Mollom module for Drupal 6.x, upgrade to Mollom 6.x-2.11 </li></ul><p> <a class="missing changeset" title="No default repository defined">[5]</a> </p> <ul><li>If you use the Mollom module for Drupal 7.x, upgrade to Mollom 7.x-2.11 </li></ul><p> <a class="missing changeset" title="No default repository defined">[6]</a> </p> <p> Also see the Mollom <a class="missing changeset" title="No default repository defined">[7]</a> project page. </p> <hr /> <hr /> <ul><li>Matt Vance <a class="missing changeset" title="No default repository defined">[8]</a> </li></ul><hr /> <hr /> <ul><li>Lisa Backer <a class="missing changeset" title="No default repository defined">[9]</a> the module maintainer </li><li>Matt Vance <a class="missing changeset" title="No default repository defined">[10]</a> </li></ul><hr /> <hr /> <ul><li>Greg Knaddison <a class="missing changeset" title="No default repository defined">[11]</a> of the Drupal Security Team </li></ul><hr /> <hr /> <p> The Drupal security team can be reached at security at drupal.org or via the contact form at <a class="ext-link" href="https://www.drupal.org/contact"><span class="icon">​</span>https://www.drupal.org/contact</a> <a class="missing changeset" title="No default repository defined">[12]</a>. </p> <p> Learn more about the Drupal Security team and their policies <a class="missing changeset" title="No default repository defined">[13]</a>, writing secure code for Drupal <a class="missing changeset" title="No default repository defined">[14]</a>, and securing your site <a class="missing changeset" title="No default repository defined">[15]</a>. </p> <p> <a class="missing changeset" title="No default repository defined">[1]</a> <a class="ext-link" href="https://www.drupal.org/project/mollom"><span class="icon">​</span>https://www.drupal.org/project/mollom</a> <a class="missing changeset" title="No default repository defined">[2]</a> <a class="ext-link" href="https://www.drupal.org/security-team/risk-levels"><span class="icon">​</span>https://www.drupal.org/security-team/risk-levels</a> <a class="missing changeset" title="No default repository defined">[3]</a> <a class="ext-link" href="http://cve.mitre.org/"><span class="icon">​</span>http://cve.mitre.org/</a> <a class="missing changeset" title="No default repository defined">[4]</a> <a class="ext-link" href="https://www.drupal.org/project/mollom"><span class="icon">​</span>https://www.drupal.org/project/mollom</a> <a class="missing changeset" title="No default repository defined">[5]</a> <a class="ext-link" href="https://www.drupal.org/node/2338787"><span class="icon">​</span>https://www.drupal.org/node/2338787</a> <a class="missing changeset" title="No default repository defined">[6]</a> <a class="ext-link" href="https://www.drupal.org/node/2338789"><span class="icon">​</span>https://www.drupal.org/node/2338789</a> <a class="missing changeset" title="No default repository defined">[7]</a> <a class="ext-link" href="https://www.drupal.org/project/mollom"><span class="icon">​</span>https://www.drupal.org/project/mollom</a> <a class="missing changeset" title="No default repository defined">[8]</a> <a class="ext-link" href="https://www.drupal.org/user/88338"><span class="icon">​</span>https://www.drupal.org/user/88338</a> <a class="missing changeset" title="No default repository defined">[9]</a> <a class="ext-link" href="https://www.drupal.org/user/1951462"><span class="icon">​</span>https://www.drupal.org/user/1951462</a> <a class="missing changeset" title="No default repository defined">[10]</a> <a class="ext-link" href="https://www.drupal.org/user/88338"><span class="icon">​</span>https://www.drupal.org/user/88338</a> <a class="missing changeset" title="No default repository defined">[11]</a> <a class="ext-link" href="https://www.drupal.org/user/36762"><span class="icon">​</span>https://www.drupal.org/user/36762</a> <a class="missing changeset" title="No default repository defined">[12]</a> <a class="ext-link" href="https://www.drupal.org/contact"><span class="icon">​</span>https://www.drupal.org/contact</a> <a class="missing changeset" title="No default repository defined">[13]</a> <a class="ext-link" href="https://www.drupal.org/security-team"><span class="icon">​</span>https://www.drupal.org/security-team</a> <a class="missing changeset" title="No default repository defined">[14]</a> <a class="ext-link" href="https://www.drupal.org/writing-secure-code"><span class="icon">​</span>https://www.drupal.org/writing-secure-code</a> <a class="missing changeset" title="No default repository defined">[15]</a> <a class="ext-link" href="https://www.drupal.org/security/secure-configuration"><span class="icon">​</span>https://www.drupal.org/security/secure-configuration</a> </p> Results http://localhost:8080/trac/ticket/789#changelog http://localhost:8080/trac/ticket/792 http://localhost:8080/trac/ticket/792 #792: [Security-news] SA-CONTRIB-2014-094 - Webform Patched - Cross Site Scripting (XSS) Mon, 29 Sep 2014 09:28:08 GMT paul <p> View online: <a class="ext-link" href="https://www.drupal.org/node/2344369"><span class="icon">​</span>https://www.drupal.org/node/2344369</a> </p> <ul><li>Advisory ID: DRUPAL-SA-CONTRIB-2014-094 </li><li>Project: Webform Patched <a class="missing changeset" title="No default repository defined">[1]</a> (third-party module) </li><li>Version: 6.x, 7.x </li><li>Date: 2014-September-24 </li><li>Security risk: 13/25 ( Moderately Critical) </li></ul><p> AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default <a class="missing changeset" title="No default repository defined">[2]</a> </p> <ul><li>Vulnerability: Cross Site Scripting </li></ul><hr /> <hr /> <p> The Webform Patched module is a fork of the Webform module with Token support added. The module enables you to create forms which can be used for surveys, contact forms or other data collection throughout your site. </p> <p> The module doesn't sufficiently sanitize field label titles when two fields have the same form_key, which can only be managed by carefully crafting the webform structure via a specific set of circumstances. </p> <p> This vulnerability is mitigated by the fact that an attacker must have a role with the permission "create webform content". </p> <hr /> <hr /> <ul><li>/A CVE identifier <a class="missing changeset" title="No default repository defined">[3]</a> will be requested, and added upon issuance, in </li></ul><p> accordance with Drupal Security Team processes./ </p> <hr /> <hr /> <ul><li>Webform Patched 6.x-3.x versions prior to 6.x-3.20. </li><li>Webform Patched 7.x-3.x versions prior to 7.x-3.20. </li></ul><p> Drupal core is not affected. If you do not use the contributed Webform Patched <a class="missing changeset" title="No default repository defined">[4]</a> module, there is nothing you need to do. </p> <hr /> <hr /> <p> Install the latest version: </p> <ul><li>If you use the webform module for Drupal 6.x, upgrade to webform_patched </li></ul><p> 6.x-3.20 <a class="missing changeset" title="No default repository defined">[5]</a> </p> <ul><li>If you use the webform module for Drupal 7.x-3.x, upgrade to </li></ul><p> webform_patched 7.x-3.20 <a class="missing changeset" title="No default repository defined">[6]</a> </p> <p> Also see the Webform Patched <a class="missing changeset" title="No default repository defined">[7]</a> project page. </p> <hr /> <hr /> <ul><li>Maurits Lawende <a class="missing changeset" title="No default repository defined">[8]</a> </li><li>Matt Vance <a class="missing changeset" title="No default repository defined">[9]</a> </li></ul><hr /> <hr /> <ul><li>Nate Haug <a class="missing changeset" title="No default repository defined">[10]</a> the module maintainer </li></ul><hr /> <hr /> <ul><li>Greg Knaddison <a class="missing changeset" title="No default repository defined">[11]</a>, Dan Smith <a class="missing changeset" title="No default repository defined">[12]</a> and Lee Rowlands <a class="missing changeset" title="No default repository defined">[13]</a> of the Drupal </li></ul><p> Security Team </p> <hr /> <hr /> <p> The Drupal security team can be reached at security at drupal.org or via the contact form at <a class="ext-link" href="https://www.drupal.org/contact"><span class="icon">​</span>https://www.drupal.org/contact</a> <a class="missing changeset" title="No default repository defined">[14]</a>. </p> <p> Learn more about the Drupal Security team and their policies <a class="missing changeset" title="No default repository defined">[15]</a>, writing secure code for Drupal <a class="missing changeset" title="No default repository defined">[16]</a>, and securing your site <a class="missing changeset" title="No default repository defined">[17]</a>. </p> <p> <a class="missing changeset" title="No default repository defined">[1]</a> <a class="ext-link" href="https://www.drupal.org/project/webform_patched"><span class="icon">​</span>https://www.drupal.org/project/webform_patched</a> <a class="missing changeset" title="No default repository defined">[2]</a> <a class="ext-link" href="https://www.drupal.org/security-team/risk-levels"><span class="icon">​</span>https://www.drupal.org/security-team/risk-levels</a> <a class="missing changeset" title="No default repository defined">[3]</a> <a class="ext-link" href="http://cve.mitre.org/"><span class="icon">​</span>http://cve.mitre.org/</a> <a class="missing changeset" title="No default repository defined">[4]</a> <a class="ext-link" href="https://www.drupal.org/project/webform_patched"><span class="icon">​</span>https://www.drupal.org/project/webform_patched</a> <a class="missing changeset" title="No default repository defined">[5]</a> <a class="ext-link" href="http://drupal.org/node/2241675"><span class="icon">​</span>http://drupal.org/node/2241675</a> <a class="missing changeset" title="No default repository defined">[6]</a> <a class="ext-link" href="http://drupal.org/node/2241685"><span class="icon">​</span>http://drupal.org/node/2241685</a> <a class="missing changeset" title="No default repository defined">[7]</a> <a class="ext-link" href="https://www.drupal.org/project/webform_patched"><span class="icon">​</span>https://www.drupal.org/project/webform_patched</a> <a class="missing changeset" title="No default repository defined">[8]</a> <a class="ext-link" href="http://drupal.org/user/243897"><span class="icon">​</span>http://drupal.org/user/243897</a> <a class="missing changeset" title="No default repository defined">[9]</a> <a class="ext-link" href="https://www.drupal.org/user/10269"><span class="icon">​</span>https://www.drupal.org/user/10269</a> <a class="missing changeset" title="No default repository defined">[10]</a> <a class="ext-link" href="http://drupal.org/user/35821"><span class="icon">​</span>http://drupal.org/user/35821</a> <a class="missing changeset" title="No default repository defined">[11]</a> <a class="ext-link" href="http://drupal.org/user/36762"><span class="icon">​</span>http://drupal.org/user/36762</a> <a class="missing changeset" title="No default repository defined">[12]</a> <a class="ext-link" href="http://drupal.org/user/241220"><span class="icon">​</span>http://drupal.org/user/241220</a> <a class="missing changeset" title="No default repository defined">[13]</a> <a class="ext-link" href="https://drupal.org/user/395439"><span class="icon">​</span>https://drupal.org/user/395439</a> <a class="missing changeset" title="No default repository defined">[14]</a> <a class="ext-link" href="https://www.drupal.org/contact"><span class="icon">​</span>https://www.drupal.org/contact</a> <a class="missing changeset" title="No default repository defined">[15]</a> <a class="ext-link" href="https://www.drupal.org/security-team"><span class="icon">​</span>https://www.drupal.org/security-team</a> <a class="missing changeset" title="No default repository defined">[16]</a> <a class="ext-link" href="https://www.drupal.org/writing-secure-code"><span class="icon">​</span>https://www.drupal.org/writing-secure-code</a> <a class="missing changeset" title="No default repository defined">[17]</a> <a class="ext-link" href="https://www.drupal.org/security/secure-configuration"><span class="icon">​</span>https://www.drupal.org/security/secure-configuration</a> </p> Results http://localhost:8080/trac/ticket/792#changelog http://localhost:8080/trac/ticket/804 http://localhost:8080/trac/ticket/804 #804: Investigating the site security following SA-CORE-2014-005 (Drupal 7.32) Mon, 03 Nov 2014 15:20:25 GMT paul <p> It was discovered that TN could have have been compromised from the recent security vulnerability (even though we are running Drupal 6) as the site is using the DBTNG module. However the site doesn't appear to have been compromised. I'll post my findings shortly. </p> Results http://localhost:8080/trac/ticket/804#changelog http://localhost:8080/trac/ticket/809 http://localhost:8080/trac/ticket/809 #809: [Security-news] Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2014-006 Wed, 19 Nov 2014 21:35:25 GMT paul <p> View online: <a class="ext-link" href="https://www.drupal.org/SA-CORE-2014-006"><span class="icon">​</span>https://www.drupal.org/SA-CORE-2014-006</a> </p> <ul><li>Advisory ID: DRUPAL-SA-CORE-2014-006 </li><li>Project: Drupal core <a class="missing changeset" title="No default repository defined">[1]</a> </li><li>Version: 6.x, 7.x </li><li>Date: 2014-November-19 </li><li>Security risk: 14/25 ( Moderately Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon <a class="missing changeset" title="No default repository defined">[2]</a> </li><li>Vulnerability: Multiple vulnerabilities </li></ul><hr /> <hr /> <p> .... Session hijacking (Drupal 6 and 7) </p> <p> A specially crafted request can give a user access to another user's session, allowing an attacker to hijack a random session. </p> <p> This attack is known to be possible on certain Drupal 7 sites which serve both HTTP and HTTPS content ("mixed-mode" <a class="missing changeset" title="No default repository defined">[3]</a>), but it is possible there are other attack vectors for both Drupal 6 and Drupal 7. </p> <p> .... Denial of service (Drupal 7 only) </p> <p> Drupal 7 includes a password hashing API to ensure that user supplied passwords are not stored in plain text. </p> <p> A vulnerability in this API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service). </p> <p> This vulnerability can be exploited by anonymous users. </p> <hr /> <hr /> <ul><li>/A CVE identifier <a class="missing changeset" title="No default repository defined">[4]</a> will be requested, and added upon issuance, in accordance </li></ul><blockquote> <blockquote> <p> with Drupal Security Team processes./ </p> </blockquote> </blockquote> <hr /> <hr /> <ul><li>Drupal core 6.x versions prior to 6.34. </li><li>Drupal core 7.x versions prior to 7.34. </li></ul><hr /> <hr /> <p> Install the latest version: </p> <ul><li>If you use Drupal 6.x, upgrade to Drupal core 6.34. <a class="missing changeset" title="No default repository defined">[5]</a> </li><li>If you use Drupal 7.x, upgrade to Drupal core 7.34. <a class="missing changeset" title="No default repository defined">[6]</a> </li></ul><p> If you have configured a custom password.inc file for your Drupal 7 site you also need to make sure that it is not prone to the same denial of service vulnerability. See also the similar security advisory for the Drupal 6 contributed Secure Password Hashes module: SA-CONTRIB-2014-113 <a class="missing changeset" title="No default repository defined">[7]</a> </p> <p> Also see the Drupal core <a class="missing changeset" title="No default repository defined">[8]</a> project page. </p> <hr /> <hr /> <p> Session hijacking: </p> <ul><li>Aaron Averill <a class="missing changeset" title="No default repository defined">[9]</a> </li></ul><p> Denial of service: </p> <ul><li>Michael Cullum <a class="missing changeset" title="No default repository defined">[10]</a> </li><li>Javier Nieto <a class="missing changeset" title="No default repository defined">[11]</a> </li><li>Andrés Rojas Guerrero <a class="missing changeset" title="No default repository defined">[12]</a> </li></ul><hr /> <hr /> <p> Session hijacking: </p> <ul><li>Klaus Purer <a class="missing changeset" title="No default repository defined">[13]</a> of the Drupal Security Team </li><li>David Rothstein <a class="missing changeset" title="No default repository defined">[14]</a> of the Drupal Security Team </li><li>Peter Wolanin <a class="missing changeset" title="No default repository defined">[15]</a> of the Drupal Security Team </li></ul><p> Denial of service: </p> <ul><li>Klaus Purer <a class="missing changeset" title="No default repository defined">[16]</a> of the Drupal Security Team </li><li>Peter Wolanin <a class="missing changeset" title="No default repository defined">[17]</a> of the Drupal Security Team </li><li>Heine Deelstra <a class="missing changeset" title="No default repository defined">[18]</a> of the Drupal Security Team </li><li>Tom Phethean <a class="missing changeset" title="No default repository defined">[19]</a> </li></ul><hr /> <hr /> <ul><li>The Drupal Security Team </li></ul><hr /> <hr /> <p> The Drupal security team can be reached at security at drupal.org or via the contact form at <a class="ext-link" href="https://www.drupal.org/contact"><span class="icon">​</span>https://www.drupal.org/contact</a> <a class="missing changeset" title="No default repository defined">[20]</a>. </p> <p> Learn more about the Drupal Security team and their policies <a class="missing changeset" title="No default repository defined">[21]</a>, writing secure code for Drupal <a class="missing changeset" title="No default repository defined">[22]</a>, and securing your site <a class="missing changeset" title="No default repository defined">[23]</a>. </p> <p> Follow the Drupal Security Team on Twitter at <a class="ext-link" href="https://twitter.com/drupalsecurity"><span class="icon">​</span>https://twitter.com/drupalsecurity</a> <a class="missing changeset" title="No default repository defined">[24]</a> </p> <p> <a class="missing changeset" title="No default repository defined">[1]</a> <a class="ext-link" href="https://www.drupal.org/project/drupal"><span class="icon">​</span>https://www.drupal.org/project/drupal</a> <a class="missing changeset" title="No default repository defined">[2]</a> <a class="ext-link" href="https://www.drupal.org/security-team/risk-levels"><span class="icon">​</span>https://www.drupal.org/security-team/risk-levels</a> <a class="missing changeset" title="No default repository defined">[3]</a> <a class="ext-link" href="https://www.drupal.org/https-information"><span class="icon">​</span>https://www.drupal.org/https-information</a> <a class="missing changeset" title="No default repository defined">[4]</a> <a class="ext-link" href="http://cve.mitre.org/"><span class="icon">​</span>http://cve.mitre.org/</a> <a class="missing changeset" title="No default repository defined">[5]</a> <a class="ext-link" href="https://www.drupal.org/drupal-6.34-release-notes"><span class="icon">​</span>https://www.drupal.org/drupal-6.34-release-notes</a> <a class="missing changeset" title="No default repository defined">[6]</a> <a class="ext-link" href="https://www.drupal.org/drupal-7.34-release-notes"><span class="icon">​</span>https://www.drupal.org/drupal-7.34-release-notes</a> <a class="missing changeset" title="No default repository defined">[7]</a> <a class="ext-link" href="https://www.drupal.org/node/2378367"><span class="icon">​</span>https://www.drupal.org/node/2378367</a> <a class="missing changeset" title="No default repository defined">[8]</a> <a class="ext-link" href="https://www.drupal.org/project/drupal"><span class="icon">​</span>https://www.drupal.org/project/drupal</a> <a class="missing changeset" title="No default repository defined">[9]</a> <a class="ext-link" href="https://www.drupal.org/user/1317732"><span class="icon">​</span>https://www.drupal.org/user/1317732</a> <a class="missing changeset" title="No default repository defined">[10]</a> <a class="ext-link" href="https://www.drupal.org/u/MichaelCu"><span class="icon">​</span>https://www.drupal.org/u/MichaelCu</a> <a class="missing changeset" title="No default repository defined">[11]</a> <a class="ext-link" href="https://www.drupal.org/u/jnietotn"><span class="icon">​</span>https://www.drupal.org/u/jnietotn</a> <a class="missing changeset" title="No default repository defined">[12]</a> <a class="ext-link" href="https://www.drupal.org/u/c0r3dump3d"><span class="icon">​</span>https://www.drupal.org/u/c0r3dump3d</a> <a class="missing changeset" title="No default repository defined">[13]</a> <a class="ext-link" href="https://www.drupal.org/u/klausi"><span class="icon">​</span>https://www.drupal.org/u/klausi</a> <a class="missing changeset" title="No default repository defined">[14]</a> <a class="ext-link" href="https://www.drupal.org/u/David_Rothstein"><span class="icon">​</span>https://www.drupal.org/u/David_Rothstein</a> <a class="missing changeset" title="No default repository defined">[15]</a> <a class="ext-link" href="https://www.drupal.org/u/pwolanin"><span class="icon">​</span>https://www.drupal.org/u/pwolanin</a> <a class="missing changeset" title="No default repository defined">[16]</a> <a class="ext-link" href="https://www.drupal.org/u/klausi"><span class="icon">​</span>https://www.drupal.org/u/klausi</a> <a class="missing changeset" title="No default repository defined">[17]</a> <a class="ext-link" href="https://www.drupal.org/u/pwolanin"><span class="icon">​</span>https://www.drupal.org/u/pwolanin</a> <a class="missing changeset" title="No default repository defined">[18]</a> <a class="ext-link" href="https://www.drupal.org/u/Heine"><span class="icon">​</span>https://www.drupal.org/u/Heine</a> <a class="missing changeset" title="No default repository defined">[19]</a> <a class="ext-link" href="https://www.drupal.org/u/tsphethean"><span class="icon">​</span>https://www.drupal.org/u/tsphethean</a> <a class="missing changeset" title="No default repository defined">[20]</a> <a class="ext-link" href="https://www.drupal.org/contact"><span class="icon">​</span>https://www.drupal.org/contact</a> <a class="missing changeset" title="No default repository defined">[21]</a> <a class="ext-link" href="https://www.drupal.org/security-team"><span class="icon">​</span>https://www.drupal.org/security-team</a> <a class="missing changeset" title="No default repository defined">[22]</a> <a class="ext-link" href="https://www.drupal.org/writing-secure-code"><span class="icon">​</span>https://www.drupal.org/writing-secure-code</a> <a class="missing changeset" title="No default repository defined">[23]</a> <a class="ext-link" href="https://www.drupal.org/security/secure-configuration"><span class="icon">​</span>https://www.drupal.org/security/secure-configuration</a> <a class="missing changeset" title="No default repository defined">[24]</a> <a class="ext-link" href="https://twitter.com/drupalsecurity"><span class="icon">​</span>https://twitter.com/drupalsecurity</a> </p> Results http://localhost:8080/trac/ticket/809#changelog http://localhost:8080/trac/ticket/849 http://localhost:8080/trac/ticket/849 #849: (No subject) Tue, 28 Apr 2015 12:35:03 GMT paul <pre class="wiki">Hi Sam / Ade Would you advise when outstanding invoices will be paid? We used to get our invoices paid every month. -- Best Paul Booker Drupal Developer &amp; Linux Systems Administrator Website: http://www.paulbooker.co.uk Drupal.org: https://www.drupal.org/u/paulbooker Twitter: @paulbooker &lt;https://www.twitter.com/paulbooker&gt; Tel: +44 01922 861636 </pre> Results http://localhost:8080/trac/ticket/849#changelog http://localhost:8080/trac/ticket/877 http://localhost:8080/trac/ticket/877 #877: RE: outstanding invoices Thu, 15 Oct 2015 11:20:05 GMT paul <pre class="wiki">Hi Sam, Hope you're well. Any chance you could pay my 3 outstanding invoices today? Best, Paul -- Paul Booker Drupal Support for Websites and Linux Servers Website: http://www.paulbooker.co.uk Tel: +44 01922 861636 </pre> Results http://localhost:8080/trac/ticket/877#changelog http://localhost:8080/trac/ticket/884 http://localhost:8080/trac/ticket/884 #884: RE: http://news.transitionnetwork.org Thu, 03 Dec 2015 12:40:03 GMT paul <pre class="wiki">Hi Chris, All Can you help me to reset my password for paulbooker for news.transitionnetwork.org? I just tried to use the reset password form but I never received an email and when I Iooked at the settings,php file for the website (generated by Aegir) I couldn't see immediately where to find the database. I think I may have missed some recent updates to news.transitionnetwork.org so urgently need to resolve this today. Not sure how this has fallen of my radar, but, I just noticed that news.transitionnetwork.org is no longer mentioned on the platform page on Aegir so may have got into thinking that this site no longer exists. http://news.transitionnetwork.org https://tn.puffin.webarch.net/hosting/platforms -- Paul Booker Drupal Support for Websites and Linux Servers Website: http://www.paulbooker.co.uk Tel: +44 01922 861636 </pre> Results http://localhost:8080/trac/ticket/884#changelog http://localhost:8080/trac/ticket/899 http://localhost:8080/trac/ticket/899 #899: Managing security after Feb 24th, 2016. Thu, 28 Jan 2016 15:22:28 GMT paul <p> Hello, </p> <p> Just did some research to check how we will manage security after Feb 24th, 2016. </p> <p> A small group of vendors (approved by the security team) will provide patches for core and some of the most commonly used contributed modules, that are used on their client websites. Security patches will be put in the Git repo for the <a class="ext-link" href="https://www.drupal.org/project/d6lts/"><span class="icon">​</span>D6LTS</a> project on Drupal.org, and will be announced in the issue queue. We will just need to monitor this issue queue and apply any security patches. </p> <p> However, these vendors will not be supporting ALL contributed modules. Each of the vendors will be maintaining lists, and providing them to the Drupal Security Team so they know which issues to include them on. With this in mind shall we send a copy of our list of contributed modules to each of the vendor companies and ask them to provide us with a list of our modules that they are currently not supporting? We can then decide how we should support the modules that are not supported by the vendors. </p> <p> Best, Paul </p> Results http://localhost:8080/trac/ticket/899#changelog