Debian DSA-2804-1 : drupal7 - several vulnerabilities

medium Nessus Plugin ID 71098

Synopsis

The remote Debian host is missing a security-related update.

Description

Multiple vulnerabilities have been discovered in Drupal, a fully-featured content management framework: Cross-site request forgery, insecure pseudo random number generation, code execution, incorrect security token validation and cross-site scripting.

In order to avoid the remote code execution vulnerability, it is recommended to create a .htaccess file (or an equivalent configuration directive in case you are not using Apache to serve your Drupal sites) in each of your sites' 'files' directories (both public and private, in case you have both configured).

Please refer to the NEWS file provided with this update and the upstream advisory at drupal.org/SA-CORE-2013-003 for further information.

Solution

Upgrade the drupal7 packages.

For the stable distribution (wheezy), these problems have been fixed in version 7.14-2+deb7u1.

See Also

http://www.nessus.org/u?9a366273

https://packages.debian.org/source/wheezy/drupal7

https://www.debian.org/security/2013/dsa-2804

Plugin Details

Severity: Medium

ID: 71098

File Name: debian_DSA-2804.nasl

Version: 1.12

Type: local

Agent: unix

Published: 11/27/2013

Updated: 1/11/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:drupal7, cpe:/o:debian:debian_linux:7.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 11/26/2013

Reference Information

CVE: CVE-2013-6385, CVE-2013-6386, CVE-2013-6387, CVE-2013-6388, CVE-2013-6389

DSA: 2804