[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Record assigned CVEs for drupal an SA-CORE-2018-001

Sat Feb 24 19:51:24 UTC 2018

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2f9fb34a by Salvatore Bonaccorso at 2018-02-24T20:47:57+01:00
Record assigned CVEs for drupal an SA-CORE-2018-001

Queried the Drupal security team, and the CVEs were yet pending. Record
now the assigned CVEs and update cross references.

Additionally track the issues for Drupal 8 still with the itp. Gunnar
Wolf though makes clear in https://bugs.debian.org/756305 that packaging
Drupal 8 for Debian should not be done.

- - - - -


2 changed files:

- data/CVE/list
- data/DSA/list


Changes:

=====================================
data/CVE/list
=====================================

--- a/data/CVE/list
+++ b/data/CVE/list
@@ -304,25 +304,18 @@ CVE-2017-18194 (SQL injection vulnerability in users/signup.php in the "sig
 CVE-2017-18193 (fs/f2fs/extent_cache.c in the Linux kernel before 4.13 mishandles ...)
 	- linux 4.13.4-1
 	NOTE: Fixed by: https://git.kernel.org/linus/dad48e73127ba10279ea33e6dbc8d3905c4d31c0
-CVE-2018-XXXX [SA-CORE-2018-001: External link injection on 404 pages when linking to the current page]
+CVE-2017-6932 [SA-CORE-2018-001: External link injection on 404 pages when linking to the current page]
 	- drupal7 7.57-1 (bug #891154)
-	[stretch] - drupal7 7.52-2+deb9u2
-	[jessie] - drupal7 7.32-1+deb8u10
 	NOTE: https://www.drupal.org/sa-core-2018-001
-CVE-2018-XXXX [SA-CORE-2018-001: jQuery vulnerability with untrusted domains]
+CVE-2017-6929 [SA-CORE-2018-001: jQuery vulnerability with untrusted domains]
 	- drupal7 7.57-1 (bug #891153)
-	[stretch] - drupal7 7.52-2+deb9u2
-	[jessie] - drupal7 7.32-1+deb8u10
 	NOTE: https://www.drupal.org/sa-core-2018-001
-CVE-2018-XXXX [SA-CORE-2018-001: Private file access bypass]
+CVE-2017-6928 [SA-CORE-2018-001: Private file access bypass]
 	- drupal7 7.57-1 (bug #891152)
-	[stretch] - drupal7 7.52-2+deb9u2
-	[jessie] - drupal7 7.32-1+deb8u10
 	NOTE: https://www.drupal.org/sa-core-2018-001
-CVE-2018-XXXX [SA-CORE-2018-001: JavaScript cross-site scripting prevention is incomplete]
+CVE-2017-6927 [SA-CORE-2018-001: JavaScript cross-site scripting prevention is incomplete]
+	- drupal8 <itp> (bug #756305)
 	- drupal7 7.57-1 (bug #891150)
-	[stretch] - drupal7 7.52-2+deb9u2
-	[jessie] - drupal7 7.32-1+deb8u10
 	NOTE: https://www.drupal.org/sa-core-2018-001
 CVE-2018-7338
 	RESERVED
@@ -51094,20 +51087,18 @@ CVE-2017-6934
 	RESERVED
 CVE-2017-6933
 	RESERVED
-CVE-2017-6932
-	RESERVED
-CVE-2017-6931
-	RESERVED
-CVE-2017-6930
+CVE-2017-6931 [Settings Tray access bypass]
 	RESERVED
-CVE-2017-6929
-	RESERVED
-CVE-2017-6928
-	RESERVED
-CVE-2017-6927
+	- drupal8 <itp> (bug #756305)
+	NOTE: https://www.drupal.org/sa-core-2018-001
+CVE-2017-6930 [Language fallback can be incorrect on multilingual sites with node access restrictions]
 	RESERVED
-CVE-2017-6926
+	- drupal8 <itp> (bug #756305)
+	NOTE: https://www.drupal.org/sa-core-2018-001
+CVE-2017-6926 [Comment reply form allows access to restricted content]
 	RESERVED
+	- drupal8 <itp> (bug #756305)
+	NOTE: https://www.drupal.org/sa-core-2018-001
 CVE-2017-6925 [Entity access bypass for entities that do not have UUIDs or have protected revisions - Access Bypass]
 	RESERVED
 	- drupal8 <itp> (bug #756305)


=====================================
data/DSA/list
=====================================
--- a/data/DSA/list
+++ b/data/DSA/list
@@ -1,4 +1,5 @@
 [24 Feb 2018] DSA-4123-1 drupal7 - security update
+	{CVE-2017-6927 CVE-2017-6928 CVE-2017-6929 CVE-2017-6932}
 	[jessie] - drupal7 7.32-1+deb8u10
 	[stretch] - drupal7 7.52-2+deb9u2
 [23 Feb 2018] DSA-4122-1 squid3 - security update



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2f9fb34accea5d5a8a18307d8b75f1944ec531a4

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2f9fb34accea5d5a8a18307d8b75f1944ec531a4
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180224/b610d50f/attachment.html>
