Biztonsági figyelmeztetések

How is the module intended to work?

Biztonsági figyelmeztetések (contrib) - 2014. június 28. 17.16
Project: UUID Node PropertiesVersion: 7.x-1.0-beta1Status: ActivePriority: NormalCategory: Support requestComponent: MiscellaneousAssigned: Unassigned

If used with deployments, should it add dependencies (e.g., from a leaf book page to its parents) automatically?

It currently does not seem to handle such dependencies. If that's the current state of affairs (which is fine, I can take care in own code) it would be nice however to have an explicit hint on the module page.

Thank you very much for the module, it enables using books with deploy!

How is the module intended to work?

Biztonsági figyelmeztetések (core) - 2014. június 28. 17.16
Project: UUID Node PropertiesVersion: 7.x-1.0-beta1Status: ActivePriority: NormalCategory: Support requestComponent: MiscellaneousAssigned: Unassigned

If used with deployments, should it add dependencies (e.g., from a leaf book page to its parents) automatically?

It currently does not seem to handle such dependencies. If that's the current state of affairs (which is fine, I can take care in own code) it would be nice however to have an explicit hint on the module page.

Thank you very much for the module, it enables using books with deploy!

Error when running cron

Biztonsági figyelmeztetések (contrib) - 2014. június 28. 17.15

When I run cron, I get an error message and a link to https://www.drupal.org/SA-CORE-2013-003

Can someone explain me what this means and how to solve the problem?

Drupal version: Drupal 7.x

Error when running cron

Biztonsági figyelmeztetések (core) - 2014. június 28. 17.15

When I run cron, I get an error message and a link to https://www.drupal.org/SA-CORE-2013-003

Can someone explain me what this means and how to solve the problem?

Drupal version: Drupal 7.x

Installing Zend Optimizer Plus Opcache on Linux/windows (Alternative for APC)

Biztonsági figyelmeztetések (contrib) - 2014. június 28. 17.11

Installing in windows

Download Zend Optimizer from following link

http://downloads.php.net/pierre/

You should download the thread safe one if you are using mode_php with Apache 2 (ZendfOptimizerPlus-20130214-5.3-ts-vc9-x86.zip)

Change the following in your php.ini

;Zend OPtimizer
zend_extension = "C:\php-5.3\ext\php_ZendOptimizerPlus.dll"
opcache.memory_consumption=128
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=4000
opcache.revalidate_freq=60
opcache.fast_shutdown=1
opcache.enable_cli=1
;opcache.save_comments=0
;opcache.enable_file_override=1
;XDEBUG
zend_extension = "C:\php-5.3\ext\php_xdebug-2.2.5-5.3-vc9.dll"
xdebug.remote_enable=1
xdebug.remote_host=127.0.0.1
xdebug.remote_port=9000
; Port number must match debugger port number in NetBeans IDE Tools > Options > PHP
xdebug.remote_handler=dbgp
xdebug.profiler_enable=1
xdebug.profiler_output_dir="D:\www\tmp"

If you are using Xdebug then always load Zend Optimizer before Xbebug as shown above.

Also Zend optimizer will not work if php is Debug build

Check this document http://www.zend.com/topics/Zend-Optimizer-User-Guide-v330-new.pdf.

Check the installation with php -v

c:\>php -v
PHP 5.3.28 (cli) (built: Dec 10 2013 22:27:36)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2013 Zend Technologies
    with Zend Optimizer+ v7.0.0, Copyright (c) 1999-2013, by Zend Technologies
    with Xdebug v2.2.5, Copyright (c) 2002-2014, by Derick Rethans

For further optimization please look at https://github.com/zendtech/ZendOptimizerPlus

Installing on Linux

$PHP_DIR/bin/phpize
./configure \
      --with-php-config=$PHP_DIR/bin/php-config
make
make install # this will copy opcache.so into PHP extension directory

Goto to https://github.com/zendtech/ZendOptimizerPlus for more information

Benchmark results at http://www.ricardclau.com/2013/03/apc-vs-zend-optimizer-benchmarks-with-...

Drupal version: Drupal 7.x

Installing Zend Optimizer Plus Opcache on Linux/windows (Alternative for APC)

Biztonsági figyelmeztetések (core) - 2014. június 28. 17.11

Installing in windows

Download Zend Optimizer from following link

http://downloads.php.net/pierre/

You should download the thread safe one if you are using mode_php with Apache 2 (ZendfOptimizerPlus-20130214-5.3-ts-vc9-x86.zip)

Change the following in your php.ini

;Zend OPtimizer
zend_extension = "C:\php-5.3\ext\php_ZendOptimizerPlus.dll"
opcache.memory_consumption=128
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=4000
opcache.revalidate_freq=60
opcache.fast_shutdown=1
opcache.enable_cli=1
;opcache.save_comments=0
;opcache.enable_file_override=1
;XDEBUG
zend_extension = "C:\php-5.3\ext\php_xdebug-2.2.5-5.3-vc9.dll"
xdebug.remote_enable=1
xdebug.remote_host=127.0.0.1
xdebug.remote_port=9000
; Port number must match debugger port number in NetBeans IDE Tools > Options > PHP
xdebug.remote_handler=dbgp
xdebug.profiler_enable=1
xdebug.profiler_output_dir="D:\www\tmp"

If you are using Xdebug then always load Zend Optimizer before Xbebug as shown above.

Also Zend optimizer will not work if php is Debug build

Check this document http://www.zend.com/topics/Zend-Optimizer-User-Guide-v330-new.pdf.

Check the installation with php -v

c:\>php -v
PHP 5.3.28 (cli) (built: Dec 10 2013 22:27:36)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2013 Zend Technologies
    with Zend Optimizer+ v7.0.0, Copyright (c) 1999-2013, by Zend Technologies
    with Xdebug v2.2.5, Copyright (c) 2002-2014, by Derick Rethans

For further optimization please look at https://github.com/zendtech/ZendOptimizerPlus

Installing on Linux

$PHP_DIR/bin/phpize
./configure \
      --with-php-config=$PHP_DIR/bin/php-config
make
make install # this will copy opcache.so into PHP extension directory

Goto to https://github.com/zendtech/ZendOptimizerPlus for more information

Benchmark results at http://www.ricardclau.com/2013/03/apc-vs-zend-optimizer-benchmarks-with-...

Drupal version: Drupal 7.x

Setting an affiliate value using rules

Biztonsági figyelmeztetések (contrib) - 2014. június 28. 17.09

I have installed the Affiliate module and am trying to set all of the users as affiliates when they create new accounts as opposed to them having to go into their profile and check the box.

I have tried 2 ways that haven't worked for me i.e. when I do them users still aren't marked as affiliates with out having to go into the profile turn it on and save the account.

Method 1:

function **edited**(&$edit, $account, $category) {
      if($account->is_new){
      $edit['data']['affiliate_optin'] = isset($edit['affiliate_optin']) ? $edit['affiliate_optin'] : 1;
  }
}

Method 2:

I created a rule that executes this custom PHP

affiliate_insert_affiliate([account:uid],1);
affiliate_set_affiliate_status([account:uid],1);
affiliate_optin([account:uid],1);

I am starting to get pretty desperate so any help would be greatly appreciated.

Thanks,

Kris

Drupal version: Drupal 7.x

Setting an affiliate value using rules

Biztonsági figyelmeztetések (core) - 2014. június 28. 17.09

I have installed the Affiliate module and am trying to set all of the users as affiliates when they create new accounts as opposed to them having to go into their profile and check the box.

I have tried 2 ways that haven't worked for me i.e. when I do them users still aren't marked as affiliates with out having to go into the profile turn it on and save the account.

Method 1:

function **edited**(&$edit, $account, $category) {
      if($account->is_new){
      $edit['data']['affiliate_optin'] = isset($edit['affiliate_optin']) ? $edit['affiliate_optin'] : 1;
  }
}

Method 2:

I created a rule that executes this custom PHP

affiliate_insert_affiliate([account:uid],1);
affiliate_set_affiliate_status([account:uid],1);
affiliate_optin([account:uid],1);

I am starting to get pretty desperate so any help would be greatly appreciated.

Thanks,

Kris

Drupal version: Drupal 7.x

How to manage your photos on Flickr.com

Biztonsági figyelmeztetések (contrib) - 2014. június 28. 16.50

To get the most out of the Drupal Flickr module, on your flickr.com account you should:

  1. complete the information associated with your account and your own photos
  2. put your own photos that you want to embed as a slideshow in photosets (aka 'albums' on Flickr)
  3. put the photos from others you want to embed as an album in galleries (not for your own photos, not available as slideshow)
  4. create an invite-only public group if you intend to display photos of a fixed group of flickr members without the need of giving them permissions on your website, e.g. for a sports club website
  5. know how to find appropriate keywords to fill a site quickly with public images related to the content based on taxonomy terms attached to a post.
1. Complete the information associated with your account and your own photos. 2. Put own photos you want to embed as a slideshow in photosets. 3. Put the photos from others you want to embed as an album in galleries. 4. Create an invite-only public group. 5. Find appropriate keywords to fill a site quickly with public images.

How to manage your photos on Flickr.com

Biztonsági figyelmeztetések (core) - 2014. június 28. 16.50

To get the most out of the Drupal Flickr module, on your flickr.com account you should:

  1. complete the information associated with your account and your own photos
  2. put your own photos that you want to embed as a slideshow in photosets (aka 'albums' on Flickr)
  3. put the photos from others you want to embed as an album in galleries (not for your own photos, not available as slideshow)
  4. create an invite-only public group if you intend to display photos of a fixed group of flickr members without the need of giving them permissions on your website, e.g. for a sports club website
  5. know how to find appropriate keywords to fill a site quickly with public images related to the content based on taxonomy terms attached to a post.
1. Complete the information associated with your account and your own photos. 2. Put own photos you want to embed as a slideshow in photosets. 3. Put the photos from others you want to embed as an album in galleries. 4. Create an invite-only public group. 5. Find appropriate keywords to fill a site quickly with public images.

No minimal password length?

Biztonsági figyelmeztetések (contrib) - 2014. június 28. 16.43
Project: Password Reset Landing Page (PRLP)Version: 7.x-1.0Status: ActivePriority: NormalCategory: Feature requestComponent: CodeAssigned: Unassigned

I installed this module, but I noticed I was able to create passwords with only 1 character?

On my normal password reset I had : https://www.drupal.org/project/password_policy installed, but it seems this module and password_policy don't go together?

No minimal password length?

Biztonsági figyelmeztetések (core) - 2014. június 28. 16.43
Project: Password Reset Landing Page (PRLP)Version: 7.x-1.0Status: ActivePriority: NormalCategory: Feature requestComponent: CodeAssigned: Unassigned

I installed this module, but I noticed I was able to create passwords with only 1 character?

On my normal password reset I had : https://www.drupal.org/project/password_policy installed, but it seems this module and password_policy don't go together?

SA-CONTRIB-2014-065 - Custom Meta - Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2014. június 18. 16.37
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-065
  • Project: Custom Meta (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-June-18
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The module allows you to define and manage custom meta tags.

The module does not sufficiently sanitize user input before displaying the attribute and content values for meta tags on the administration page.

This vulnerability is mitigated by the fact that an attacker must have access to an account with the permission "administer custom meta settings".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Custom Meta 6.x-1.x versions prior to 6.x-1.2.
  • Custom Meta 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Custom Meta module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Custom Meta project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x

SA-CONTRIB-2014-065 - Custom Meta - Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2014. június 18. 16.37
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-065
  • Project: Custom Meta (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-June-18
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The module allows you to define and manage custom meta tags.

The module does not sufficiently sanitize user input before displaying the attribute and content values for meta tags on the administration page.

This vulnerability is mitigated by the fact that an attacker must have access to an account with the permission "administer custom meta settings".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Custom Meta 6.x-1.x versions prior to 6.x-1.2.
  • Custom Meta 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Custom Meta module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Custom Meta project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x

SA-CONTRIB-2014-064 -Course - Access bypass

Biztonsági figyelmeztetések (contrib) - 2014. június 18. 16.04
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-064
  • Project: Course (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-June-18
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This module enables you to create e-learning courses with any number of requirements for completion. A "Course object" is a relationship entity between a Course and a learning object, such as a Node.

The module doesn't sufficiently check access on Course object edit forms. The configuration options of any Course object are visible to any user including the anonymous user.

This vulnerability is mitigated by the fact that while the form and its configuration options can be viewed, no changes can be saved.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Course 6.x-1.x versions prior to 6.x-1.1.
  • Course 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Course module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Course module for Drupal 6.x, upgrade to Course 6.x-1.1
  • If you use the Course module for Drupal 7.x, upgrade to Course 7.x-1.2

Also see the Course project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

SA-CONTRIB-2014-064 -Course - Access bypass

Biztonsági figyelmeztetések (contrib) - 2014. június 18. 16.04
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-064
  • Project: Course (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-June-18
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This module enables you to create e-learning courses with any number of requirements for completion. A "Course object" is a relationship entity between a Course and a learning object, such as a Node.

The module doesn't sufficiently check access on Course object edit forms. The configuration options of any Course object are visible to any user including the anonymous user.

This vulnerability is mitigated by the fact that while the form and its configuration options can be viewed, no changes can be saved.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Course 6.x-1.x versions prior to 6.x-1.1.
  • Course 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Course module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Course module for Drupal 6.x, upgrade to Course 6.x-1.1
  • If you use the Course module for Drupal 7.x, upgrade to Course 7.x-1.2

Also see the Course project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

SA-CONTRIB-2014-063 - Easy Breadcrumb - Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2014. június 18. 15.07
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-063
  • Project: Easy Breadcrumb (third-party module)
  • Version: 7.x
  • Date: 2014-June-18
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The Easy Breadcrumb module generates breadcrumbs from path aliases.

This module does not properly sanitize user-supplied values creating a Cross Site Scripting (XSS) vulnerability.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Easy breadcrumbs 7.x-2.x versions prior to 7.x-2.10.

Drupal core is not affected. If you do not use the contributed Easy Breadcrumb module, there is nothing you need to do.

Solution

If you use the Easy Breadcrumb module for Drupal 7 upgrade to 7.x-2.10.

Also see the Easy Breadcrumb project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

SA-CONTRIB-2014-063 - Easy Breadcrumb - Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2014. június 18. 15.07
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-063
  • Project: Easy Breadcrumb (third-party module)
  • Version: 7.x
  • Date: 2014-June-18
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The Easy Breadcrumb module generates breadcrumbs from path aliases.

This module does not properly sanitize user-supplied values creating a Cross Site Scripting (XSS) vulnerability.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Easy breadcrumbs 7.x-2.x versions prior to 7.x-2.10.

Drupal core is not affected. If you do not use the contributed Easy Breadcrumb module, there is nothing you need to do.

Solution

If you use the Easy Breadcrumb module for Drupal 7 upgrade to 7.x-2.10.

Also see the Easy Breadcrumb project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

SA-CONTRIB-2014-062 -Passsword Policy - Multiple vulnerabilities

Biztonsági figyelmeztetések (contrib) - 2014. június 18. 14.58
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-062
  • Project: Password policy (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-June-18
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities
Description

The Password Policy module enables you to define and enforce password policies with various constraints on allowable user passwords.

Access bypass and information disclosure (7.x only)

The module has a history constraint, which when enabled, disallows a user's password from being changed to match a specified number of their previous passwords. For this to work, the module stores a history of all previous user password hashes from the time the module is enabled (regardless of whether the history constraint is enabled).

Upon upgrading from 6.x to 7.x, the module does not convert these hashes from the Drupal 6 format to the Drupal 7 format. This has two consequences:
1. Users can change their passwords to old passwords used in Drupal 6 in violation of the history constraint.
2. Previous user passwords from Drupal 6 are kept indefinitely in Drupal 7 as weak MD5 hashes. If a site is compromised, past user passwords are at high risk of exposure.

This vulnerability is mitigated by the fact that only sites using 7.x that have previously used 6.x are affected.

Access bypass (6.x)

The module has a feature that lets an administrator force a password change for one or more users at their next login. These users are unable to access the website beyond their account page until changing their password.

A bug exists in 6.x where a password change will not be enforced when a user_save() is performed between the time when the administrator forces the password change and the time the affected user logs in. This can lead to users retaining insecure passwords.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Password Policy 6.x-1.x versions prior to 6.x-1.7.
  • Password Policy 7.x-1.x versions prior to 7.x-1.7.
  • Password Policy 7.x-2.x versions prior to 7.x-2.0-alpha2.

Drupal core is not affected. If you do not use the contributed Password policy module, there is nothing you need to do.

Solution

Warning: If you are using 7.x, and have used 6.x in the past on the same site, you are advised to back up your database prior to upgrading to the latest version to reduce the risk of an unforeseen upgrade problem causing permanent loss of password history.

Install the latest version:

  • If you use the Password Policy module for Drupal 6.x, upgrade to 6.x-1.7
  • If you use the Password Policy 1.x module for Drupal 7.x, upgrade to 7.x-1.7
  • If you use the Password Policy 2.x module for Drupal 7.x, upgrade to 7.x-2.0-alpha2

Also see the Password policy project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x

SA-CONTRIB-2014-062 -Passsword Policy - Multiple vulnerabilities

Biztonsági figyelmeztetések (contrib) - 2014. június 18. 14.58
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-062
  • Project: Password policy (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-June-18
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities
Description

The Password Policy module enables you to define and enforce password policies with various constraints on allowable user passwords.

Access bypass and information disclosure (7.x only)

The module has a history constraint, which when enabled, disallows a user's password from being changed to match a specified number of their previous passwords. For this to work, the module stores a history of all previous user password hashes from the time the module is enabled (regardless of whether the history constraint is enabled).

Upon upgrading from 6.x to 7.x, the module does not convert these hashes from the Drupal 6 format to the Drupal 7 format. This has two consequences:
1. Users can change their passwords to old passwords used in Drupal 6 in violation of the history constraint.
2. Previous user passwords from Drupal 6 are kept indefinitely in Drupal 7 as weak MD5 hashes. If a site is compromised, past user passwords are at high risk of exposure.

This vulnerability is mitigated by the fact that only sites using 7.x that have previously used 6.x are affected.

Access bypass (6.x)

The module has a feature that lets an administrator force a password change for one or more users at their next login. These users are unable to access the website beyond their account page until changing their password.

A bug exists in 6.x where a password change will not be enforced when a user_save() is performed between the time when the administrator forces the password change and the time the affected user logs in. This can lead to users retaining insecure passwords.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Password Policy 6.x-1.x versions prior to 6.x-1.7.
  • Password Policy 7.x-1.x versions prior to 7.x-1.7.
  • Password Policy 7.x-2.x versions prior to 7.x-2.0-alpha2.

Drupal core is not affected. If you do not use the contributed Password policy module, there is nothing you need to do.

Solution

Warning: If you are using 7.x, and have used 6.x in the past on the same site, you are advised to back up your database prior to upgrading to the latest version to reduce the risk of an unforeseen upgrade problem causing permanent loss of password history.

Install the latest version:

  • If you use the Password Policy module for Drupal 6.x, upgrade to 6.x-1.7
  • If you use the Password Policy 1.x module for Drupal 7.x, upgrade to 7.x-1.7
  • If you use the Password Policy 2.x module for Drupal 7.x, upgrade to 7.x-2.0-alpha2

Also see the Password policy project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x

Oldalak

Subscribe to drupal.hu hírolvasó - Biztonsági figyelmeztetések