Drupal7, in Jessie has 3 security issues: CVE-2020-11022 / CVE-2020-11023 / SA-CORE-2020-002
Vulnerabilities in jquery library. The Debian drupal7 package comes with jquery 1.4.4 (debian/missing-sources/jquery-1.4.4.js). 7.27+dfsg-1 the maintainer attempted to use the libjs-jquery package instead. 7.27+dfsg2-1 - the next release - the above change was reverted due to "heavy breakage", with a reference to https://bugs.debian.org/699286 which says "Turns out, they have a hard dependency on the 1.4.4 version." The upstream patch is invasive: https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77 Plus has the commit "There is no patch for 1.x or 2.x, they are no longer supported and in any case this is a pretty big breaking change, likely even more so on the browsers supported by those versions. Patching this would almost surely cause a cascade of failures in code and plugins that you would need to address." As such, I am reluctant to want to try to patch the query issues. CVE-2020-13662 / SA-CORE-2020-003 The upstream patch (https://git.drupalcode.org/project/drupal/-/commit/905ff00a44160adee3f266cdcc87d3350a64a072) is trivial and applies cleanly to the Jessie version. === cut === --- drupal7-7.32.orig/includes/common.inc +++ drupal7-7.32/includes/common.inc @@ -684,7 +684,10 @@ // We do not allow absolute URLs to be passed via $_GET, as this can be an attack vector. if (isset($_GET['destination']) && !url_is_external($_GET['destination'])) { $destination = drupal_parse_url($_GET['destination']); - $path = $destination['path']; + // Double check the path derived by drupal_parse_url() is not external. + if (!url_is_external($destination['path'])) { + $path = $destination['path']; + } $options['query'] = $destination['query']; $options['fragment'] = $destination['fragment']; } === cut === As such, I am inclined to patch the CVE-2020-13662 / SA-CORE-2020-003 issue, but not touch the jquery issue. Comments? -- Brian May <br...@linuxpenguins.xyz> https://linuxpenguins.xyz/brian/