-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Wed, 16 Feb 2022 12:36:15 -0600
Source: drupal7
Architecture: source
Version: 7.52-2+deb9u18
Distribution: stretch-security
Urgency: medium
Maintainer: Gunnar Wolf
Changed-By: Gunnar Wolf
Changes:
drupal7 (7.52-2+deb9u18
Package: drupal7
Version: 7.52-2+deb9u18
This security updates includes two fixes, backported respectively from
Drupal version 7.87 and 7.88:
- Fix a regression caused by Query ui position() backport in version
7.86 (backported as 7.52-2+deb9u17): was not checking for possible
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Wed, 19 Jan 2022 13:26:37 -0600
Source: drupal7
Binary: drupal7
Architecture: source all
Version: 7.52-2+deb9u17
Distribution: stretch-security
Urgency: medium
Maintainer: Gunnar Wolf
Changed-By: Gunnar Wolf
Description:
drupal7
Package: drupal7
Version: 7.52-2+deb9u17
CVE ID : CVE-2021-41182 CVE-2021-41183 CVE-2016-7103 CVE-2010-5312
The Drupal project includes a very old version of jQuery. Security
vulnerabilities leading to cross-site scripting attacks in different
components of the jQuery UI
-
Package: drupal7
Version: 7.52-2+deb9u16
CVE ID : CVE-2021-32610
The Drupal project uses the pear Archive_Tar library, which has
released a security update that impacts Drupal.
The vulnerability
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Mon, 26 Jul 2021 11:21:54 -0500
Source: drupal7
Architecture: source
Version: 7.52-2+deb9u16
Distribution: stretch-security
Urgency: medium
Maintainer: Gunnar Wolf
Changed-By: Gunnar Wolf
Changes:
drupal7 (7.52-2+deb9u16
https://wiki.debian.org/LTS
- ---
Package : drupal7
Version : 7.52-2+deb9u15
The Drupal project identified a vulnerability in the sanitization
performed in the _filter_xss_arttributes function, potentially
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Fri, 23 Apr 2021 14:06:37 -0500
Source: drupal7
Binary: drupal7
Architecture: source all
Version: 7.52-2+deb9u15
Distribution: stretch-security
Urgency: medium
Maintainer: Gunnar Wolf
Changed-By: Gunnar Wolf
Description:
drupal7
Hi Gunnar, all
See below.
On Tue, 9 Mar 2021 at 05:11, Gunnar Wolf wrote:
> Hello Ola, Salvatore, Chris et. al.!
>
> Ola Lundqvist dijo [Mon, Mar 08, 2021 at 11:51:35PM +0100]:
> > Hi Salvatore, Gunnar, all
> >
> > When looking further into this issue I do not
Hello Ola, Salvatore, Chris et. al.!
Ola Lundqvist dijo [Mon, Mar 08, 2021 at 11:51:35PM +0100]:
> Hi Salvatore, Gunnar, all
>
> When looking further into this issue I do not think drupal7 is completely
> fixed.
> The durpal 7 package include th
Hi Salvatore, Gunnar, all
When looking further into this issue I do not think drupal7 is completely
fixed.
The durpal 7 package include the following fix:
+if (strpos(realpath(dirname($v_header['link'])),
realpath($p_path)) !== 0) {
But it is missing the depth check
https
in dla-needed.
> > > Ths thing is that this CVE tells that drupal7 is also vulnerable but
> > > drupal7 is not in dla-needed.txt.
> >
> > It may be that drupal7 was not marked as being vulnerable to
> > CVE-2020-36193 at the time of triage. After all, the code co
On 25/02/2021 10:09, Chris Lamb wrote:
Morning Ola,
Today I looked at CVE-2020-36193 since we have php-pear in dla-needed.
Ths thing is that this CVE tells that drupal7 is also vulnerable but
drupal7 is not in dla-needed.txt.
It may be that drupal7 was not marked as being vulnerable to
CVE
Hi,
On Thu, Feb 25, 2021 at 09:09:08AM +, Chris Lamb wrote:
> Morning Ola,
>
> > Today I looked at CVE-2020-36193 since we have php-pear in dla-needed.
> > Ths thing is that this CVE tells that drupal7 is also vulnerable but
> > drupal7 is not in dla-needed.txt.
>
Morning Ola,
> Today I looked at CVE-2020-36193 since we have php-pear in dla-needed.
> Ths thing is that this CVE tells that drupal7 is also vulnerable but
> drupal7 is not in dla-needed.txt.
It may be that drupal7 was not marked as being vulnerable to
CVE-2020-36193 at the time
Hi Chris
Today I looked at CVE-2020-36193 since we have php-pear in dla-needed.
Ths thing is that this CVE tells that drupal7 is also vulnerable but
drupal7 is not in dla-needed.txt.
Is there any specific reason for this?
I guess there is, like drupal7 impact was realized later, or lack of time
https://wiki.debian.org/LTS
- ---
Package : drupal7
Version : 7.52-2+deb9u14
CVE ID: CVE-2020-36193
Drupal identified a vulnerability in the verson of the Archive_Tar
library it bundles (CVE-2020-36193), which
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Thu, 21 Jan 2021 13:03:02 -0600
Source: drupal7
Binary: drupal7
Architecture: source all
Version: 7.52-2+deb9u14
Distribution: stretch-security
Urgency: medium
Maintainer: Gunnar Wolf
Changed-By: Gunnar Wolf
Description:
drupal7
https://wiki.debian.org/LTS
- -
Package: drupal7
Version: 7.52-2+deb9u13
CVE ID : CVE-2020-28948 CVE-2020-28949
Two vulnerabilities were found in the Archive_Tar PHP module, used
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Thu, 26 Nov 2020 00:43:12 -0600
Source: drupal7
Architecture: source
Version: 7.52-2+deb9u13
Distribution: stretch-security
Urgency: medium
Maintainer: Gunnar Wolf
Changed-By: Gunnar Wolf
Changes:
drupal7 (7.52-2+deb9u13
https://wiki.debian.org/LTS
- -
Package: drupal7
Version: 7.52-2+deb9u12
CVE ID : CVE-2020-13666 CVE-2020-13671
Two vulnerabilities were discovered in Drupal, a fully-featured
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Wed, 18 Nov 2020 14:00:18 -0600
Source: drupal7
Architecture: source
Version: 7.52-2+deb9u12
Distribution: stretch-security
Urgency: medium
Maintainer: Gunnar Wolf
Changed-By: Gunnar Wolf
Changes:
drupal7 (7.52-2+deb9u12
Package: drupal7
Version: 7.32-1+deb8u19
CVE ID : CVE-2020-13663
Debian Bug :
CVE-2020-13663 - Drupal SA 2020-004
The Drupal core Form API does not properly handle certain form
input from cross-site requests, which can lead to other vulnerabilities.
For Debian
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Mon, 29 Jun 2020 15:45:06 +
Source: drupal7
Binary: drupal7
Architecture: source all
Version: 7.32-1+deb8u19
Distribution: jessie-security
Urgency: medium
Maintainer: Luigi Gangitano
Changed-By: Ola Lundqvist
Description
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: drupal7
Version: 7.32-1+deb8u18
CVE ID : CVE-2020-13662
Drupal 7 has an Open Redirect vulnerability. For example, a user
could be tricked into visiting a specially crafted link which would
redirect them
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Mon, 15 Jun 2020 07:30:19 +1000
Source: drupal7
Binary: drupal7
Architecture: source all
Version: 7.32-1+deb8u18
Distribution: jessie-security
Urgency: medium
Maintainer: Luigi Gangitano
Changed-By: Brian May
Description
Brian May writes:
> Drupal7, in Jessie has 3 security issues:
My proposed changes to drupal7 in Jessie:
diff -Nru drupal7-7.32/debian/changelog drupal7-7.32/debian/changelog
--- drupal7-7.32/debian/changelog 2019-05-20 20:05:42.0 +1000
+++ drupal7-7.32/debian/changelog 2
Drupal7, in Jessie has 3 security issues:
CVE-2020-11022 / CVE-2020-11023 / SA-CORE-2020-002
Vulnerabilities in jquery library.
The Debian drupal7 package comes with jquery 1.4.4
(debian/missing-sources/jquery-1.4.4.js).
7.27+dfsg-1 the maintainer attempted to use the libjs-jquery
package
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: drupal7
Version: 7.32-1+deb8u17
CVE ID : CVE-2019-11358 CVE-2019-11831
Debian Bug : 927330 928688
Several security vulnerabilities have been discovered in drupal7, a
PHP web site platform. The vulnerabilities
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Mon, 20 May 2019 12:05:42 +0200
Source: drupal7
Binary: drupal7
Architecture: source all
Version: 7.32-1+deb8u17
Distribution: jessie-security
Urgency: medium
Maintainer: Luigi Gangitano
Changed-By: Jonas Meurer
Description
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: drupal7
Version: 7.32-1+deb8u16
CVE ID : CVE-2019-6341
It was discovered that missing input sanitising in the file module of
Drupal, a fully-featured content management framework, could result in
cross-site
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Thu, 28 Mar 2019 11:17:31 +0100
Source: drupal7
Binary: drupal7
Architecture: source all
Version: 7.32-1+deb8u16
Distribution: jessie-security
Urgency: medium
Maintainer: Luigi Gangitano
Changed-By: Emilio Pozuelo Monfort
Hi Chris!
Chris Lamb dijo [Mon, Mar 04, 2019 at 03:22:35AM -0500]:
> Dear maintainer(s),
>
> The Debian LTS team would like to fix the security issues which are
> currently open in the Jessie version of drupal7:
> https://security-tracker.debian.org/tracker/source-package/drupal7
Dear maintainer(s),
The Debian LTS team would like to fix the security issues which are
currently open in the Jessie version of drupal7:
https://security-tracker.debian.org/tracker/source-package/drupal7
Would you like to take care of this yourself?
If yes, please follow the workflow we have
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: drupal7
Version: 7.32-1+deb8u15
CVE ID : CVE-2019-6338
Drupal core uses the third-party PEAR Archive_Tar library. This
library has released a security update which impacts some Drupal
configurations. Refer to CVE
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: drupal7
Version: 7.32-1+deb8u14
CVE ID : CVE-2019-6339
A remote code execution vulnerability exists in PHP's built-in phar
stream wrapper when performing file operations on an untrusted phar://
URI. Some Drupal code
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Thu, 31 Jan 2019 23:16:08 +0530
Source: drupal7
Binary: drupal7
Architecture: source all
Version: 7.32-1+deb8u14
Distribution: jessie-security
Urgency: medium
Maintainer: Luigi Gangitano
Changed-By: Abhijith PA
Description
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Fri, 19 Oct 2018 10:51:00 -0400
Source: drupal7
Binary: drupal7
Architecture: source all
Version: 7.32-1+deb8u13
Distribution: jessie-security
Urgency: high
Maintainer: Luigi Gangitano
Changed-By: Chris Lamb
Description:
drupal7
On Thursday 26 April 2018 12:29 PM, Emilio Pozuelo Monfort wrote:
> On 26/04/18 04:54, Abhijith PA wrote:
>> Hello.
>>
>> I have prepared LTS security update for drupal7[1] . Debdiff is
>> attached. Please review and upload. I tested it on a clean wheezy vm
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: drupal7
Version: 7.14-2+deb7u19
CVE ID : CVE-2018-7602
Debian Bug : 895778
A remote code execution vulnerability has been found within multiple
subsystems of Drupal. This potentially allows attackers to exploit
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Thu, 26 Apr 2018 03:14:26 +0530
Source: drupal7
Binary: drupal7
Architecture: source all
Version: 7.14-2+deb7u19
Distribution: wheezy-security
Urgency: high
Maintainer: Luigi Gangitano <lu...@debian.org>
Changed-By: Abhij
On 26/04/18 04:54, Abhijith PA wrote:
> Hello.
>
> I have prepared LTS security update for drupal7[1] . Debdiff is
> attached. Please review and upload. I tested it on a clean wheezy vm
Uploaded. Are you available to send a DLA or should I?
Cheers,
Emilio
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hello.
I have prepared LTS security update for drupal7[1] . Debdiff is
attached. Please review and upload. I tested it on a clean wheezy vm
[1]https://mentors.debian.net/debian/pool/main/d/drupal7/drupal7_7.14-2+
deb7u19.dsc
- --abhijith
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: drupal7
Version: 7.14-2+deb7u18
CVE ID : CVE-2018-7600
Jasper Mattsson found a remote code execution vulnerability in the
Drupal content management system. This potentially allows attackers to
exploit multiple
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Wed, 28 Mar 2018 22:47:59 +0200
Source: drupal7
Binary: drupal7
Architecture: source all
Version: 7.14-2+deb7u18
Distribution: wheezy-security
Urgency: high
Maintainer: Luigi Gangitano <lu...@debian.org>
Changed-By: Markus Ko
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: drupal7
Version: 7.14-2+deb7u17
CVE ID : CVE-2017-6927 CVE-2017-6928 CVE-2017-6929
CVE-2017-6932
Debian Bug : 891152 891150 891153 891154
Multiple vulnerabilities have been found in the Drupal
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: drupal7
Version: 7.14-2+deb7u16
CVE ID : CVE-2017-6922
Private files that have been uploaded by an anonymous user but not permanently
attached to content on the site should only be visible to the anonymous user
Raphael Hertzog dijo [Thu, Jun 22, 2017 at 10:55:59AM +0200]:
> Hello Gunnar,
Hello Raphael,
Thanks a lot for your great, invaluable help on LTS!
> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of drupal7:
> http
Hello Gunnar,
The Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of drupal7:
https://security-tracker.debian.org/tracker/CVE-2017-6922
Would you like to take care of this yourself?
If yes, please follow the workflow we have defined here
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: drupal7
Version: 7.14-2+deb7u15
CVE ID : CVE-2016-9449 CVE-2016-9451
Multiple vulnerabilities have been found in the Drupal content
management framework. For additional information, please refer to the
upstream
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Mon, 21 Nov 2016 13:47:25 +0100
Source: drupal7
Binary: drupal7
Architecture: source all
Version: 7.14-2+deb7u15
Distribution: wheezy-security
Urgency: high
Maintainer: Luigi Gangitano <lu...@debian.org>
Changed-By: Markus Ko
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Fri, 15 Jul 2016 09:35:17 +0200
Source: drupal7
Binary: drupal7
Architecture: source all
Version: 7.14-2+deb7u14
Distribution: wheezy-security
Urgency: high
Maintainer: Luigi Gangitano <lu...@debian.org>
Changed-By: Chris La
b...@decadent.org.uk dijo [Thu, Jul 14, 2016 at 11:26:04PM +0100]:
> Hello dear maintainer(s),
>
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of drupal7:
> https://security-tracker.debian.org/tracker/CVE-2016-6211
>
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of drupal7:
https://security-tracker.debian.org/tracker/CVE-2016-6211
Would you like to take care of this yourself?
If yes, please follow the workflow we have
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Mon, 11 Jul 2016 20:18:44 +0200
Source: drupal7
Binary: drupal7
Architecture: source all
Version: 7.14-2+deb7u13
Distribution: wheezy-security
Urgency: high
Maintainer: Luigi Gangitano <lu...@debian.org>
Changed-By: Chris La
55 matches
Mail list logo