Category Archives: Advisories

Drupal core – Critical – Cross Site Scripting – SA-CORE-2024-005

Read Time:50 Second
Project: 
Date: 
2024-November-20
Vulnerability: 
Cross Site Scripting
Description: 

Drupal 7 core’s Overlay module doesn’t safely handle user input, leading to reflected cross-site scripting under certain circumstances.

Only sites with the Overlay module enabled are affected by this vulnerability.

Solution: 

Install the latest version:

If you are using Drupal 7, update to Drupal 7.102
Sites may also disable the Overlay module to avoid the issue.

Drupal 10 and Drupal 11 are not affected, as the Overlay module was removed from Drupal core in Drupal 8.

Reported By: 
Fixed By: 
Cesar
Greg Knaddison of the Drupal Security Team
Matthew Grill
Wim Leers
Drew Webber of the Drupal Security Team
Ra Mänd
Fabian Franz
Juraj Nemec of the Drupal Security Team
Coordinated By: 
Juraj Nemec of the Drupal Security Team
Greg Knaddison of the Drupal Security Team
xjm of the Drupal Security Team

Read More

Drupal core – Moderately critical – Access bypass – SA-CORE-2024-004

Read Time:1 Minute, 17 Second
Project: 
Date: 
2024-November-20
Vulnerability: 
Access bypass
Affected versions: 
>= 8.0.0 < 10.2.11 || >= 10.3.0 < 10.3.9 || >= 11.0.0 < 11.0.8
Description: 

Drupal’s uniqueness checking for certain user fields is inconsistent depending on the database engine and its collation.

As a result, a user may be able to register with the same email address as another user.

This may lead to data integrity issues.

Solution: 

Install the latest version:

If you are using Drupal 10.2, update to Drupal 10.2.11.
If you are using Drupal 10.3, update to Drupal 10.3.9.
If you are using Drupal 11.0, update to Drupal 11.0.8.
Drupal 7 is not affected.

All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Updating Drupal will not solve potential issues with existing accounts affected by this bug. See Fixing emails that vary only by case for additional guidance.

Reported By: 
Fixed By: 
Wayne Eaker
cilefen of the Drupal Security Team
Kristiaan Van den Eynde
Drew Webber of the Drupal Security Team
Lee Rowlands of the Drupal Security Team
Coordinated By: 
Juraj Nemec of the Drupal Security Team
Benji Fisher of the Drupal Security Team
xjm of the Drupal Security Team

Read More

Drupal core – Moderately critical – Cross Site Scripting – SA-CORE-2024-003

Read Time:1 Minute, 3 Second
Project: 
Date: 
2024-November-20
Vulnerability: 
Cross Site Scripting
Affected versions: 
>= 8.8.0 < 10.2.11 || >= 10.3.0 < 10.3.9 || >= 11.0.0 < 11.0.8
Description: 

Drupal uses JavaScript to render status messages in some cases and configurations. In certain situations, the status messages are not adequately sanitized.

Solution: 

Install the latest version:

If you are using Drupal 10.2, update to Drupal 10.2.11.
If you are using Drupal 10.3, update to Drupal 10.3.9.
If you are using Drupal 11.0, update to Drupal 11.0.8.

All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By: 
Fixed By: 
Lee Rowlands of the Drupal Security Team
catch of the Drupal Security Team
Mingsong
Juraj Nemec of the Drupal Security Team
Dave Long of the Drupal Security Team
Benji Fisher of the Drupal Security Team
Coordinated By: 
Juraj Nemec of the Drupal Security Team
Greg Knaddison of the Drupal Security Team

Read More

rust-rustls-0.23.17-1.el9 rust-zlib-rs-0.4.0-1.el9

Read Time:28 Second

FEDORA-EPEL-2024-3672733748

Packages in this update:

rust-rustls-0.23.17-1.el9
rust-zlib-rs-0.4.0-1.el9

Update description:

Update the rustls crate to version 0.23.17.
Update the zlib-rs crate to version 0.4.0.

The update to zlib-rs v0.4.0 also addresses CVE-2024-11249 (stack overflow during decompression with malicious input). This issue had no actual impact in Fedora, because no applications yet use the the zlib-rs feature of rustls and rustls is the only dependent package of zlib-rs.

Read More

rust-rustls-0.23.17-1.el10_0 rust-zlib-rs-0.4.0-1.el10_0

Read Time:29 Second

FEDORA-EPEL-2024-21e104619e

Packages in this update:

rust-rustls-0.23.17-1.el10_0
rust-zlib-rs-0.4.0-1.el10_0

Update description:

Update the rustls crate to version 0.23.17.
Update the zlib-rs crate to version 0.4.0.

The update to zlib-rs v0.4.0 also addresses CVE-2024-11249 (stack overflow during decompression with malicious input). This issue had no actual impact in Fedora, because no applications yet use the the zlib-rs feature of rustls and rustls is the only dependent package of zlib-rs.

Read More

rust-rustls-0.23.17-1.fc40 rust-zlib-rs-0.4.0-1.fc40

Read Time:28 Second

FEDORA-2024-632b468c59

Packages in this update:

rust-rustls-0.23.17-1.fc40
rust-zlib-rs-0.4.0-1.fc40

Update description:

Update the rustls crate to version 0.23.17.
Update the zlib-rs crate to version 0.4.0.

The update to zlib-rs v0.4.0 also addresses CVE-2024-11249 (stack overflow during decompression with malicious input). This issue had no actual impact in Fedora, because no applications yet use the the zlib-rs feature of rustls and rustls is the only dependent package of zlib-rs.

Read More

rust-rustls-0.23.17-1.fc41 rust-zlib-rs-0.4.0-1.fc41

Read Time:28 Second

FEDORA-2024-41e6e2fc74

Packages in this update:

rust-rustls-0.23.17-1.fc41
rust-zlib-rs-0.4.0-1.fc41

Update description:

Update the rustls crate to version 0.23.17.
Update the zlib-rs crate to version 0.4.0.

The update to zlib-rs v0.4.0 also addresses CVE-2024-11249 (stack overflow during decompression with malicious input). This issue had no actual impact in Fedora, because no applications yet use the the zlib-rs feature of rustls and rustls is the only dependent package of zlib-rs.

Read More

rust-rustls-0.23.17-1.fc42 rust-zlib-rs-0.4.0-1.fc42

Read Time:28 Second

FEDORA-2024-6bcc5bbd5f

Packages in this update:

rust-rustls-0.23.17-1.fc42
rust-zlib-rs-0.4.0-1.fc42

Update description:

Update the rustls crate to version 0.23.17.
Update the zlib-rs crate to version 0.4.0.

The update to zlib-rs v0.4.0 also addresses CVE-2024-11249 (stack overflow during decompression with malicious input). This issue had no actual impact in Fedora, because no applications yet use the the zlib-rs feature of rustls and rustls is the only dependent package of zlib-rs.

Read More

USN-7121-2: Linux kernel (Azure) vulnerabilities

Read Time:1 Minute, 12 Second

Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
– ARM64 architecture;
– S390 architecture;
– x86 architecture;
– Block layer subsystem;
– Cryptographic API;
– ATM drivers;
– Device frequency scaling framework;
– GPU drivers;
– Hardware monitoring drivers;
– VMware VMCI Driver;
– Network drivers;
– Device tree and open firmware driver;
– SCSI drivers;
– Greybus lights staging drivers;
– BTRFS file system;
– File systems infrastructure;
– F2FS file system;
– JFS file system;
– NILFS2 file system;
– Netfilter;
– Memory management;
– Ethernet bridge;
– IPv6 networking;
– IUCV driver;
– Logical Link layer;
– MAC80211 subsystem;
– NFC subsystem;
– Network traffic control;
– Unix domain sockets;
(CVE-2023-52614, CVE-2024-26633, CVE-2024-46758, CVE-2024-46723,
CVE-2023-52502, CVE-2024-41059, CVE-2024-44987, CVE-2024-36020,
CVE-2023-52599, CVE-2023-52639, CVE-2024-26668, CVE-2024-42094,
CVE-2022-48938, CVE-2022-48733, CVE-2024-27397, CVE-2023-52578,
CVE-2024-38560, CVE-2024-38538, CVE-2024-42310, CVE-2024-46722,
CVE-2024-46800, CVE-2024-41095, CVE-2024-42104, CVE-2024-35877,
CVE-2022-48943, CVE-2024-46743, CVE-2023-52531, CVE-2024-46757,
CVE-2024-36953, CVE-2024-46756, CVE-2024-38596, CVE-2023-52612,
CVE-2024-38637, CVE-2024-41071, CVE-2024-46759, CVE-2024-43882,
CVE-2024-26675, CVE-2024-43854, CVE-2024-44942, CVE-2024-44998,
CVE-2024-42240, CVE-2024-41089, CVE-2024-26636, CVE-2024-46738,
CVE-2024-42309)

Read More