-------------------------------------------------------------------------------- Fedora EPEL Update Notification FEDORA-EPEL-2013-12086 2013-11-13 17:36:29 --------------------------------------------------------------------------------
Name : drupal6-context Product : Fedora EPEL 6 Version : 3.3 Release : 1.el6 URL : http://drupal.org/project/context Summary : Context Module for Drupal6 Description : Context allows you to manage contextual conditions and reactions for different portions of your site.
-------------------------------------------------------------------------------- Update Information:
CVE-2013-4445/CVE-2013-4446
Context, a drupal module, which allows you to manage contextual conditions and reactions for different portions of your site, was found to have two severe security issues.
First issue is that the module allows execution of PHP code via manipulation of a URL argument in a path used for AJAX operations when running in a configuration without a json_decode function provided by PHP or the PECL JSON library. The vulnerability is
This vulnerability is only exploitable on a server running a PHP version prior to 5.2 that does not have the json library installed.
Second issue is that the module uses Drupal's token scheme to restrict access to the json rendering of a block. This control mechanism is insufficient as Drupal's token scheme is designed to provide security between two different sessions (or a session and a non authenticated user) and is not designed to provide security within a session. The vulnerability is mitigated by needing blocks that have sensitive information.
The suggested fix is to update Drupal6-context to 6.x-3.2 and Drupal7-context to 7.x-3.0.
References: http://seclists.org/fulldisclosure/2013/Oct/118 https://drupal.org/node/2113317 -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1020780 - drupal6-context: drupal-context: multiple vulnerabilities [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1020780 [ 2 ] Bug #1020783 - drupal6-context: drupal-context: multiple vulnerabilities [epel-6] https://bugzilla.redhat.com/show_bug.cgi?id=1020783 [ 3 ] Bug #1020256 - drupal6-context-3.3 is available https://bugzilla.redhat.com/show_bug.cgi?id=1020256 --------------------------------------------------------------------------------
This update can be installed with the "yum" update programs. Use su -c 'yum update drupal6-context' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora EPEL GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------
epel-package-announce@lists.fedoraproject.org