--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2013-21298
2013-11-14 02:09:28
--------------------------------------------------------------------------------

Name        : drupal6-context
Product     : Fedora 18
Version     : 3.3
Release     : 1.fc18
URL         : http://drupal.org/project/context
Summary     : Context Module for Drupal6
Description :
Context allows you to manage contextual conditions and reactions for
different portions of your site.

--------------------------------------------------------------------------------
Update Information:

CVE-2013-4445/CVE-2013-4446

Context, a drupal module, which allows you to manage contextual conditions and 
reactions for different portions of your site, was found to have two severe 
security issues.

First issue is that the module allows execution of PHP code via manipulation of 
a URL argument in a path used for AJAX operations when running in a 
configuration without a json_decode function provided by PHP or the PECL JSON 
library. The vulnerability is

This vulnerability is only exploitable on a server running a PHP version prior 
to 5.2 that does not have the json library installed.

Second issue is that the module uses Drupal's token scheme to restrict access 
to the json rendering of a block. This control mechanism is insufficient as 
Drupal's token scheme is designed to provide security between two different 
sessions (or a session and a non authenticated user) and is not designed to 
provide security within a session. The vulnerability is mitigated by needing 
blocks that have sensitive information.

The suggested fix is to update Drupal6-context to 6.x-3.2 and Drupal7-context 
to 7.x-3.0.

References:
http://seclists.org/fulldisclosure/2013/Oct/118
https://drupal.org/node/2113317
--------------------------------------------------------------------------------
ChangeLog:

* Wed Nov 13 2013 Jon Ciesla <[email protected]> - 3.3-1
- Update to latest, SA-CONTRIB-2013-079, BZ 1020780,
- BZ 1020783, BZ 1020256.
* Sat Aug  3 2013 Fedora Release Engineering <[email protected]> 
- 3.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Wed Feb 13 2013 Fedora Release Engineering <[email protected]> 
- 3.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Thu Jan  3 2013 Anderson Silva <[email protected]> - 3.1-1
- CVE-2012-5655 - Upstream update
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1020780 - drupal6-context: drupal-context: multiple 
vulnerabilities [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1020780
  [ 2 ] Bug #1020783 - drupal6-context: drupal-context: multiple 
vulnerabilities [epel-6]
        https://bugzilla.redhat.com/show_bug.cgi?id=1020783
  [ 3 ] Bug #1020256 - drupal6-context-3.3 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=1020256
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update drupal6-context' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/package-announce

Reply via email to