-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2016.2744.2
       [Security-news] Drupal Core - Moderately Critical - Multiple
                    Vulnerabilities - SA-CORE-2016-005
                             28 November 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Drupal
Publisher:         Drupal
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Denial of Service              -- Remote with User Interaction
                   Provide Misleading Information -- Remote with User Interaction
                   Access Confidential Data       -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-9452 CVE-2016-9451 CVE-2016-9450
                   CVE-2016-9449  

Original Bulletin: 
   https://www.drupal.org/SA-CORE-2016-005

Revision History:  November 28 2016: CVEs assigned to vulnerabilities
                   November 17 2016: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Security advisories

Drupal coreContributed projectsPublic service announcements

Drupal Core - Moderately Critical - Multiple Vulnerabilities - 
SA-CORE-2016-005

Posted by Drupal Security Team on November 16, 2016 at 5:37pm

Advisory ID: DRUPAL-SA-CORE-2016-005

Project: Drupal core

Version: 7.x, 8.x

Date: 2016-November-16

Security risk: 13/25 ( Moderately Critical) 
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon

Vulnerability: Multiple vulnerabilities

Description

Inconsistent name for term access query (Less critical - Drupal 7 and Drupal 
8)

Drupal provides a mechanism to alter database SELECT queries before they are 
executed. Contributed and custom modules may use this mechanism to restrict 
access to certain entities by implementing hook_query_alter() or 
hook_query_TAG_alter() in order to add additional conditions. Queries can be 
distinguished by means of query tags. As the documentation on 
EntityFieldQuery::addTag() suggests, access-tags on entity queries normally 
follow the form ENTITY_TYPE_access (e.g. node_access). However, the taxonomy 
module's access query tag predated this system and used term_access as the 
query tag instead of taxonomy_term_access.

As a result, before this security release modules wishing to restrict access 
to taxonomy terms may have implemented an unsupported tag, or needed to look 
for both tags (term_access and taxonomy_term_access) in order to be compatible
with queries generated both by Drupal core as well as those generated by 
contributed modules like Entity Reference. Otherwise information on taxonomy 
terms might have been disclosed to unprivileged users.

Incorrect cache context on password reset page (Less critical - Drupal 8)

The user password reset form does not specify a proper cache context, which 
can lead to cache poisoning and unwanted content on the page.

Confirmation forms allow external URLs to be injected (Moderately critical - 
Drupal 7)

Under certain circumstances, malicious users could construct a URL to a 
confirmation form that would trick users into being redirected to a 3rd party
website after interacting with the form, thereby exposing the users to 
potential social engineering attacks.

Denial of service via transliterate mechanism (Moderately critical - Drupal 8)

A specially crafted URL can cause a denial of service via the transliterate 
mechanism.

CVE identifier(s) issued

Inconsistent name for term access query: CVE-2016-9449

Incorrect cache context on password reset page: CVE-2016-9450

Confirmation forms allow external URLs to be injected: CVE-2016-9451

Denial of service via transliterate mechanism: CVE-2016-9452

Versions affected

Drupal core 7.x versions prior to 7.52

Drupal core 8.x versions prior to 8.2.3

Solution

Install the latest version:

If you use Drupal 7.x, upgrade to Drupal core 7.52

If you use Drupal 8.x, upgrade to Drupal core 8.2.3

Also see the Drupal core project page.

Reported by

Inconsistent name for term access query:

znerol

Incorrect cache context on password reset page:

Charlotte Bone

Confirmation forms allow external URLs to be injected:

jnicola

Ezra Wolfe

Denial of service via transliterate mechanism:

Lee Rowlands of the Drupal Security Team

Fixed by

Inconsistent name for term access query:

znerol

xjm of the Drupal Security Team

David Rothstein of the Drupal Security Team

Dave Reid of the Drupal Security Team

Larry Garfield

Incorrect cache context on password reset page:

Chris McCafferty, provisional Drupal Security Team member

xjm of the Drupal Security Team

Alex Pott of the Drupal Security Team

Michael Hess of the Drupal Security Team

Nathaniel Catchpole of the Drupal Security Team

Confirmation forms allow external URLs to be injected:

Peter Wolanin of the Drupal Security Team

Alex Pott of the Drupal Security Team

David Rothstein of the Drupal Security Team

Denial of service via transliterate mechanism:

Lee Rowlands of the Drupal Security Team

Cathy Theys of the Drupal Security Team

Alex Pott of the Drupal Security Team

Peter Wolanin of the Drupal Security Team

Daniel Wehner

Nate Haug

Heine Deelstra of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the 
contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure 
code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at 
https://twitter.com/drupalsecurity

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWDt5C4x+lLeg9Ub1AQjsOBAAiSZTJ964wGMq2C8I38GseqZp/NpTgwRR
XlvIGroY07XNOqyvx6qJVFvILMvjPGjmH+15zXtCovg2m/URXUbBGgVCajoax0xg
oR0Nbtju2wj+8BvbzRCZKKXmsXNo+joqffL+PgjyuU1H9Mdg9xYzC7+XO5RGNGyd
5G+XBVH8x4ThkjJGJj+GAsa+eulfXikgLzI57DKUbS4+dTwpPvecKTShZNXXRx6l
Ifz+YTITwCcbBlSbVT0AAI3WqxJH4bUrcWNFzqkGJJ4IsrR9TJoQ+RGQEtgndwkm
oKJXh5JO3WktLYR+Ssv4PDOmtyQq25Tar8gMS48nFVHLsKdYmCaj9FwgJULMTtXk
sNwzCBNsHMmPgHxv8Shb0GVnq9c+6LgMqYwyYDzV8Wed3AfnGPD36maSCWz4pTjC
vuc71nmSpIONOqWnWPXJmx2CZA+Ss74r7XELlBrgQXEXoaVkalnLmBXhi8VnnPZi
i9SmPLdvqAGCe6S7r2XoaJUqD9NX+GDw1NT6ZTwAenLDEUj8RRmm/vgjYx2SW+JO
V1cLLPxEEF/M1ZsBM74YNfqqItbcBn3hMgAqqPRQz4PrPZplc7FRxd6cpcxQMgFm
kTs4Jy4C04zbvt1pyfaezduvBaCQhnnb+18fH2zWHcJzFIe9WAihdADRDKrJ0XcW
Hr+rYKtZM3c=
=oT8E
-----END PGP SIGNATURE-----