drupal7
Drupal7, in Jessie has 3 security issues:
CVE-2020-11022 / CVE-2020-11023 / SA-CORE-2020-002
Vulnerabilities in jquery library.
The Debian drupal7 package comes with jquery 1.4.4
(debian/missing-sources/jquery-1.4.4.js).
7.27+dfsg-1 the maintainer attempted to use the libjs-jquery
package instead.
7.27+dfsg2-1 - the next release - the above change was reverted due to
"heavy breakage", with a reference to https://bugs.debian.org/699286
which says "Turns out, they have a hard dependency on the 1.4.4
version."
The upstream patch is invasive:
https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77
Plus has the commit "There is no patch for 1.x or 2.x, they are no
longer supported and in any case this is a pretty big breaking change,
likely even more so on the browsers supported by those versions.
Patching this would almost surely cause a cascade of failures in code
and plugins that you would need to address."
As such, I am reluctant to want to try to patch the query issues.
CVE-2020-13662 / SA-CORE-2020-003
The upstream patch
(https://git.drupalcode.org/project/drupal/-/commit/905ff00a44160adee3f266cdcc87d3350a64a072)
is trivial and applies cleanly to the Jessie version.
=== cut ===
--- drupal7-7.32.orig/includes/common.inc
+++ drupal7-7.32/includes/common.inc
@@ -684,7 +684,10 @@
// We do not allow absolute URLs to be passed via $_GET, as this can be an attack vector.
if (isset($_GET['destination']) && !url_is_external($_GET['destination'])) {
$destination = drupal_parse_url($_GET['destination']);
- $path = $destination['path'];
+ // Double check the path derived by drupal_parse_url() is not external.
+ if (!url_is_external($destination['path'])) {
+ $path = $destination['path'];
+ }
$options['query'] = $destination['query'];
$options['fragment'] = $destination['fragment'];
}
=== cut ===
As such, I am inclined to patch the CVE-2020-13662 / SA-CORE-2020-003
issue, but not touch the jquery issue.
Comments?
--
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/
Reply to: