View online: https://www.drupal.org/SA-2017-001

Drupal 8.2.7, a maintenance release which contains fixes for security
vulnerabilities, is now available for download.

Download Drupal 8.2.7 [1]

*Upgrading [2] your existing Drupal 8 sites is strongly recommended.* There
are no new features nor non-security-related bug fixes in this release. See
the 8.2.7 release notes [3] for details on important changes and known issues
affecting this release. Read on for details of the security vulnerabilities
that were fixed in this release.
* Advisory ID: DRUPAL-SA-CORE-2017-001
* Project: Drupal core [4]
* Version: 7.x, 8.x
* Date: 2017-March-15

——– DESCRIPTION
———————————————————

.. Editor module incorrectly checks access to inline private files – Drupal 8
– Access Bypass – Critical – CVE-2017-6377

When adding a private file via a configured text editor (like CKEditor), the
editor will not correctly check access for the file being attached, resulting
in an access bypass.

.. Some admin paths were not protected with a CSRF token – Drupal 8 – Cross
Site Request Forgery – Moderately Critical – CVE-2017-6379

Some administrative paths did not include protection for CSRF. This would
allow an attacker to disable some blocks on a site. This issue is mitigated
by the fact that users would have to know the block ID.

.. Remote code execution – Drupal 8 – Remote code execution – Moderately
Critical – CVE-2017-6381

A 3rd party development library including with Drupal 8 development
dependencies is vulnerable to remote code execution.

This is mitigated by the default .htaccess protection against PHP execution,
and the fact that Composer development dependencies aren’t normal installed.

You might be vulnerable to this if you are running a version of Drupal before
8.2.2. To be sure you aren’t vulnerable, you can remove the
/vendor/phpunit directory from the site root of your production deployments.

——– SOLUTION
————————————————————

Upgrade to Drupal 8.2.7
——– REPORTED BY
———————————————————

.. Editor module incorrectly checks access to inline private files – Drupal 8
– Access Bypass – Critical – CVE-2017-6377

* Casey [5]

.. Some admin paths were not protected with a CSRF token – Drupal 8 – Cross
Site Request Forgery – Moderately Critical – CVE-2017-6379

* Samuel Mortenson [6]

.. Remote code execution – Drupal 8 – Remote code execution – Moderately
Critical – CVE-2017-6381

* Timo Hilsdorf [7]

——– FIXED BY
————————————————————

.. Editor module incorrectly checks access to inline private files – Drupal 8
– Access Bypass – Critical – CVE-2017-6377

* László Csécsy [8]
* Wim Leers [9]
* Alex Pott [10] of the Drupal Security Team
* Klaus Purer [11] of the Drupal Security Team

.. Some admin paths were not protected with a CSRF token – Drupal 8 – Cross
Site Request Forgery – Moderately Critical – CVE-2017-6379

* Samuel Mortenson [12]
* Sascha Grossenbacher

.. Remote code execution – Drupal 8 – Remote code execution -Moderately
Critical – CVE-2017-6381

* Klaus Purer [13] Of the Drupal Security Team
* Mixologic [14]

——– CONTACT AND MORE INFORMATION
—————————————-

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [15].

Learn more about the Drupal Security team and their policies [16], writing
secure code for Drupal [17], and securing your site [18].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [19]

[1] http://ftp.drupal.org/files/projects/drupal-8.2.7.tar.gz
[2] https://www.drupal.org/upgrade
[3] https://www.drupal.org/project/drupal/releases/8.2.7
[4] https://www.drupal.org/project/drupal
[5] https://www.drupal.org/u/casey
[6] http://drupal.org/u/samuel.mortenson
[7] https://www.drupal.org/user/3506593
[8] https://www.drupal.org/u/Boobaa
[9] https://www.drupal.org/u/wim-leers
[10] https://www.drupal.org/u/alexpott
[11] https://www.drupal.org/u/klausi
[12] https://www.drupal.org/u/samuel.mortenson
[13] https://www.drupal.org/u/klausi
[14] https://www.drupal.org/u/Mixologic
[15] https://www.drupal.org/contact
[16] https://www.drupal.org/security-team
[17] https://www.drupal.org/writing-secure-code
[18] https://www.drupal.org/security/secure-configuration
[19] https://twitter.com/drupalsecurity

_______________________________________________
Security-news mailing list
Security-news@drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news