Drupion Newsletter

We are starting AltaGrade!

With this short notice I am delighted to announce today, that a hosting provider previously known as Drupion changes jurisdiction from California to Washington state and re-launches as AltaGrade LLC, a web-hosting company for everybody created by nerds who know the best of and love to support Drupal, Backdrop, WordPress, Joomla and thousands of other most popular web applications running on Linux!

WordPress 5.0 Beta 3 is now available!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site to play with the new version.

There are two ways to test the WordPress 5.0 Beta: try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”), or you can download the beta here (zip).

Session Limit - Critical - Insecure Session Management - SA-CONTRIB-2018-072

Project: Session Limit
Version: 7.x-2.28.x-1.0-beta2
Date: 2018-October-31
Security risk: *Critical* 15∕25
Vulnerability: Insecure Session Management

Description

The session limit module enables a site administrator to set a policy around
the number of active sessions users of the site may have. This is typically
set to one so that you can only be logged in once with the same user account.

Decoupled Router - Critical - Access bypass - SA-CONTRIB-2018- 071

Project: Decoupled Router
Version: 8.x-1.18.x-1.0
Date: 2018-October-31
Security risk: *Critical* 15∕25
Vulnerability: Access bypass

Description

This module enables you to resolve the provided Drupal path in order to find
the canonical path and information about the resolved entity. This
information includes entity type ID, entity ID, entity UUID and entity label.

Paragraphs - Moderately critical - Access Bypass - SA-CONTRIB-2018-073

Project: Paragraphs
Version: 8.x-1.4
Date: 2018-October-31
Security risk: *Moderately critical* 10∕25
Vulnerability: Access Bypass

Description

 
The Paragraphs module allows Drupal Site Builders to make content
organization cleaner so that you can give more editing power to end-users.

The module doesn't sufficiently check access to create new paragraph entities
which can cause access bypass issues when used in combination with other
contributed modules.

WordPress 5.0 Beta 2 is now available

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site to play with the new version.

There are two ways to test the WordPress 5.0 Beta: try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”), or you can download the beta here (zip).

HTML Mail - Critical - Remote Code Execution - SA-CONTRIB-2018-069

Project: HTML Mail
Date: 2018-October-17
Security risk: *Critical* 17∕25
Vulnerability: Remote Code Execution

Description

The HTML Mail module lets you theme your messages the same way you theme the
rest of your website.

When sending email some variables were not being sanitized for shell
arguments, which could lead to remote code execution.

This issue is related to the Drupal Core release SA-CORE-2018-006.

Solution

Install the latest version:

Mime Mail - Critical - Remote Code Execution - SA-CONTRIB-2018-068

Project: Mime Mail
Date: 2018-October-17
Security risk: *Critical* 17∕25
Vulnerability: Remote Code Execution

Description

The MIME Mail module allows to send MIME-encoded e-mail messages with
embedded images and attachments.

The module doesn't sufficiently sanitized some variables for shell arguments
when sending email, which could lead to arbitrary remote code execution.

This issue is related to the Drupal Core release SA-CORE-2018-006.

Solution

Install the latest version:

Workbench Moderation - Moderately critical - Access bypass - SA-CONTRIB-2018-067

Project: Workbench Moderation
Date: 2018-October-17
Security risk: *Moderately critical* 11∕25
Vulnerability: Access bypass

Description

The Workbench Moderation module adds arbitrary moderation states to Drupal
core's "unpublished" and "published" node states, and affects the behavior of
node revisions when nodes are published.

In some conditions, content moderation fails to check a users access to use
certain transitions, leading to an access bypass.

Drupal Core - Multiple Vulnerabilities - SA-CORE-2018-006

* Advisory ID: DRUPAL-SA-CONTRIB-2018-006
* Project: Drupal core
* Version: 7.x, 8.x
* Date: 2018-October-17

DESCRIPTION

*Content moderation - Moderately critical - Access bypass - Drupal 8 *

In some conditions, content moderation fails to check a users access to use
certain transitions, leading to an access bypass.

In order to fix this issue, the following changes have been made to content
moderation which may have implications for backwards compatibility:

Pages

Subscribe to Drupion Newsletter