Brian May <br...@linuxpenguins.xyz> writes:
> Drupal7, in Jessie has 3 security issues:
My proposed changes to drupal7 in Jessie:
diff -Nru drupal7-7.32/debian/changelog drupal7-7.32/debian/changelog
--- drupal7-7.32/debian/changelog 2019-05-20 20:05:42.000000000 +1000
+++ drupal7-7.32/debian/changelog 2020-06-15 07:30:19.000000000 +1000
@@ -1,3 +1,9 @@
+drupal7 (7.32-1+deb8u18) jessie-security; urgency=medium
+
+ * Fix CVE-2020-13662 / SA-CORE-2020-003: Fix Open Redirect vulnerability.
+
+ -- Brian May <b...@debian.org> Mon, 15 Jun 2020 07:30:19 +1000
+
drupal7 (7.32-1+deb8u17) jessie-security; urgency=medium
* Non-maintainer upload by the LTS Security Team.
diff -Nru drupal7-7.32/debian/patches/CVE-2020-13662.patch
drupal7-7.32/debian/patches/CVE-2020-13662.patch
--- drupal7-7.32/debian/patches/CVE-2020-13662.patch 1970-01-01
10:00:00.000000000 +1000
+++ drupal7-7.32/debian/patches/CVE-2020-13662.patch 2020-06-15
07:30:19.000000000 +1000
@@ -0,0 +1,14 @@
+--- a/includes/common.inc
++++ b/includes/common.inc
+@@ -684,7 +684,10 @@
+ // We do not allow absolute URLs to be passed via $_GET, as this can be an
attack vector.
+ if (isset($_GET['destination']) && !url_is_external($_GET['destination'])) {
+ $destination = drupal_parse_url($_GET['destination']);
+- $path = $destination['path'];
++ // Double check the path derived by drupal_parse_url() is not external.
++ if (!url_is_external($destination['path'])) {
++ $path = $destination['path'];
++ }
+ $options['query'] = $destination['query'];
+ $options['fragment'] = $destination['fragment'];
+ }
diff -Nru drupal7-7.32/debian/patches/series drupal7-7.32/debian/patches/series
--- drupal7-7.32/debian/patches/series 2019-05-20 20:05:42.000000000 +1000
+++ drupal7-7.32/debian/patches/series 2020-06-15 07:24:44.000000000 +1000
@@ -25,3 +25,4 @@
SA-CORE-2019-004
SA-CORE-2019-006
SA-CORE-2019-007
+CVE-2020-13662.patch
--
Brian May <b...@debian.org>
