'[oss-security] SA-CORE-2013-003 - Drupal core - Multiple vulnerabilities'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] SA-CORE-2013-003 - Drupal core - Multiple vulnerabilities
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2013-11-22 20:09:04
Message-ID: 528FB9E0.8090807 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

https://drupal.org/SA-CORE-2013-003

SA-CORE-2013-003 - Drupal core - Multiple vulnerabilities

Multiple vulnerabilities due to optimistic cross-site request forgery
protection (Form API validation
Please use CVE-2013-6385 for this issue.

Multiple vulnerabilities due to weakness in pseudorandom number
generation using mt_rand() (Form API, OpenID and random password
generation - Drupal 6 and 7)
Please use CVE-2013-6386 for this issue.

Code execution prevention (Files directory .htaccess for Apache -
Drupal 6 and 7)
Treating as security hardening

Access bypass (Security token validation - Drupal 6 and 7)
Treating as security hardening

Cross-site scripting (Image module - Drupal 7)
Please use CVE-2013-6387 for this issue.

Cross-site scripting (Color module - Drupal 7)
Please use CVE-2013-6388 for this issue.

Open redirect (Overlay module - Drupal 7)
Please use CVE-2013-6389 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSj7nfAAoJEBYNRVNeJnmTQA8P+QEFJ5zwMuWRSELGUCnTQ0Tu
ja1pMMKI/USbUvbX+YBgy/PoEcJNbam5lOwl5COUpxTgh3kZ/WQuHeQEFqEyJZ1W
SausFeO8Om1eza4xZHf7UHpbgVpKCDkM3AI1PAXc8/ofMY+dfUY7+xzcea2dRFUQ
MaClVJraYl4Ifa1TrdM/mdNDqWVuyulpXBlZLp3zrs9nwINjl1C6MjWL7W/4cRI8
rCdVZOlF1CqR5PF0Y3Qw2uLhoQsBdEIcLIL0W8H+mTLAoGsdze4b6dVwZM7i+nE4
TQL+f7l+cBcKlBLzQJFc5fKZ29pprkXlpUdfVHQxjp7CH+sQA0waQFn6fcQn5GJR
yebhrFJHv6LrTaTjr8S6YxVVyC6cWTENkhSxYDbqrk4Jg+MXedh84MqKyutuo5AP
nxhDvPtpT/RjuyRckQoKxMur6Zs3LlGetrKOvOza1bnHhG8Yq78HQcup1rom0Qz9
hbFK6sQkVFTfoJdM/X17FM7B/WfLqjLUZY3nXpQqbIvrgKg7945/KT403iDLDTZu
LGF2zvEhDT53HZDMK/bXglKr7X3Cg0tip71Trw5g4Zc3ZY3zdNf2SS+Onz22HXlj
dzkb95tSE6KrVmFELnFok83Zs7EvJYrKwfVTDIo8u4kFrDFAvO+zTwEBmrQ4NVq6
JvALQ9kTlBBcccAkF+Ts
=26oq
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic