Arch Linux alert ASA-201804-10 (drupal) [LWN.net]

From:
    	       Jelle van der Waa <jelle@archlinux.org> 
To:
    	       arch-security@archlinux.org 
Subject:
    	       [ASA-201804-10] drupal: arbitrary command execution 
Date:
    	       Sun, 29 Apr 2018 20:19:04 +0200
Message-ID:
    	       <20180429181903.fpeprpvn7r5c3wft@mail.archlinux.org>
Arch Linux Security Advisory ASA-201804-10
==========================================

Severity: Critical
Date    : 2018-04-27
CVE-ID  : CVE-2018-7602
Package : drupal
Type    : arbitrary command execution
Remote  : Yes
Link    : https://security.archlinux.org/AVG-679

Summary
=======

The package drupal before version 8.5.3-1 is vulnerable to arbitrary
command execution.

Resolution
==========

Upgrade to 8.5.3-1.

# pacman -Syu "drupal>=8.5.3-1"

The problem has been fixed upstream in version 8.5.3.

Workaround
==========

None.

Description
===========

A remote code execution vulnerability exists within multiple subsystems
of Drupal 7.x and 8.x. This potentially allows attackers to exploit
multiple attack vectors on a Drupal site, which could result in the
site being compromised.

Impact
======

A remote attacker is able to execute arbitrary code by performing a
specially crafted request.

References
==========

https://www.drupal.org/sa-core-2018-004
https://github.com/drupal/drupal/commit/bb6d396609600d116...
https://security.archlinux.org/CVE-2018-7602

From:		Jelle van der Waa <jelle@archlinux.org>
To:		arch-security@archlinux.org
Subject:		[ASA-201804-10] drupal: arbitrary command execution
Date:		Sun, 29 Apr 2018 20:19:04 +0200
Message-ID:		<20180429181903.fpeprpvn7r5c3wft@mail.archlinux.org>