<div dir="ltr"><div class="gmail_default" style="font-family:trebuchet ms,sans-serif;font-size:small">FYI for any site using Drupal.</div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif;font-size:small"><br></div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif;font-size:small">Sincerely,</div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif;font-size:small">Mark</div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><br>---<br>Mark Servilla<br><a href="mailto:mark.servilla@gmail.com" target="_blank">mark.servilla@gmail.com</a></div></div><br><br><div class="gmail_quote"><div dir="ltr">---------- Forwarded message ---------<br>From: <strong class="gmail_sendername" dir="auto">Terry Fleury</strong> <span dir="ltr"><<a href="mailto:tfleury@illinois.edu">tfleury@illinois.edu</a>></span><br>Date: Thu, Oct 25, 2018 at 11:43 AM<br>Subject: [cv-announce-l] Drupal - Multiple Vulnerabilities (SA-CORE-2018-006)<br>To:  <<a href="mailto:cv-announce@trustedci.org">cv-announce@trustedci.org</a>><br></div><br><br>CI Operators:<br>
<br>
Drupal recently announced a list of five (5) vulnerabilities [1] in the<br>
Drupal Core [2] code. Two (2) of these vulnerabilities are listed as<br>
critical and can allow remote code execution (RCE) [3]. The first<br>
critical vulnerability is due to PHP's DefaultMailSystem::mail()<br>
back-end which allows unsanitized email variables for shell arguments.<br>
The second critical vulnerability is specific to Drupal 8.x and is<br>
related to unvalidated contextual links. However, in both cases it would<br>
be difficult for an anonymous user to exploit the vulnerabilities.<br>
<br>
Impact:<br>
Sites running Drupal 7.x or 8.x based applications could be compromised<br>
by users with appropriate permissions, resulting in execution of<br>
arbitrary code.<br>
<br>
Recommendation:<br>
Upgrade to the latest version of Drupal 7 or 8.<br>
Drupal 8.6.2 : <a href="https://www.drupal.org/project/drupal/releases/8.6.2" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal/releases/8.6.2</a><br>
Drupal 8.5.8 : <a href="https://www.drupal.org/project/drupal/releases/8.5.8" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal/releases/8.5.8</a><br>
Drupal 7.60  : <a href="https://www.drupal.org/project/drupal/releases/7.60" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal/releases/7.60</a><br>
<br>
Affected Software:<br>
Drupal 8.6.x < 8.6.2<br>
Drupal 8.x.x < 8.5.8<br>
Drupal 7.x < 7.60<br>
<br>
References:<br>
[1] <a href="https://www.drupal.org/sa-core-2018-006" rel="noreferrer" target="_blank">https://www.drupal.org/sa-core-2018-006</a><br>
[2] <a href="https://www.drupal.org/project/drupal" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal</a><br>
[3]<br>
<a href="https://nakedsecurity.sophos.com/2018/10/23/patch-now-multiple-serious-flaws-found-in-drupal/" rel="noreferrer" target="_blank">https://nakedsecurity.sophos.com/2018/10/23/patch-now-multiple-serious-flaws-found-in-drupal/</a><br>
<br>
How Trusted CI can help:<br>
The potential impact of any vulnerability, and therefore the appropriate<br>
response, depends in part on operational conditions that are unique to<br>
each cyberinfrastructure deployment. Trusted CI (formerly CTSC) can not<br>
provide a one-size-fits-all severity rating and response recommendation<br>
for all NSF cyberinfrastructure. Please contact us<br>
(<a href="http://trustedci.org/help/" rel="noreferrer" target="_blank">http://trustedci.org/help/</a>) if you need assistance with assessing the<br>
potential impact of this vulnerability in your environment and/or you<br>
have additional information about this issue that should be shared with<br>
the community.<br>
</div></div>