Created attachment 224441 [details] Patch to update Drupal 7.78 to 7.80 Project: Drupal core Date: 2021-April-21 Security risk: Critical 15∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default Vulnerability: Cross-site scripting Description: Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. Not all sites and users are affected, but configuration changes to prevent the exploit might be impractical and will vary between sites. Therefore, we recommend all sites update to this release as soon as possible. https://www.drupal.org/sa-core-2021-002 No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.
Created attachment 224442 [details] poudriere testport build log
Mail sent to maintainer.
To submitter: can you provide a vuxml entry ?
I don't think there is one Kurt. The last entry for Drupal 7 is from 2020-10-17 which is for the upgrade to 7.73.
(In reply to Simon Wright from comment #4) Yes, because there is no vuxml entry for the bug: Can you have a look at vuxml and try to compose a vuxml entry and add it to this PR ?
Any other port/drupal/package names/versions vulnerable or affected?
This vulnerability and patch only affects Drupal 7.x to 7.78. Here is what I came up with for the vuxml entry: <vuln vid="f70ab05e-be06-11eb-b983-000c294bb613"> <topic> -- </topic> <affects> <package> <name>drupal7</name> <range><gt>7.0</gt><lt>7.80</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Drupal Security team reports:</p> <blockquote cite="https://www.drupal.org/sa-core-2021-002"> <p>Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. Not all sites and users are affected, but configuration changes to prevent the exploit might be impractical and will vary between sites. Therefore, we recommend all sites update to this release as soon as possible.</p> </blockquote> </body> </description> <references> <cvename>CVE-2020-13672</cvename> </references> <dates> <discovery>2021-04-21</discovery> <entry></entry> </dates> </vuln> As instructed I added it to the top of vuln.xml then make validate gives me this error: /usr/ports/security/vuxml$ sudo make validate /bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln-flat.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy" /usr/ports/security/vuxml/vuln-flat.xml:1: parser error : Document is empty ^ unable to parse /usr/ports/security/vuxml/vuln-flat.xml *** Error code 6 Stop. make: stopped in /usr/ports/security/vuxml and vuln-flat.xml is indeed empty.
Deleting vuln-flat.xml and re-running make validate gives: /usr/ports/security/vuxml$ sudo make validate xmllint -noent vuln.xml > vuln-flat.xml vuln.xml:103: parser error : Extra content at the end of the document <vuln vid="58b22f3a-bc71-11eb-b9c9-6cc21735f730"> ^ *** Error code 1 Stop. make: stopped in /usr/ports/security/vuxml
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=2b1037171f1a4591119c4bc354075b4e3503a397 commit 2b1037171f1a4591119c4bc354075b4e3503a397 Author: Simon Wright <simon.wright@gmx.net> AuthorDate: 2021-06-06 08:36:02 +0000 Commit: Kurt Jaeger <pi@FreeBSD.org> CommitDate: 2021-06-06 08:42:19 +0000 www/drupal7: update 7.78 -> 7.80, fix security vulnerability PR: 255417 MFH: 2021Q2 Security: CVE-2020-13672 https://www.drupal.org/sa-core-2021-002 Changes: https://www.drupal.org/project/drupal/releases/7.80 Approved by: joneum (maintainer timeout) www/drupal7/Makefile | 2 +- www/drupal7/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-)
Committed, also the provided vuxml entry with minor formatting fixes.
A commit in branch 2021Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=ab22de5d66db581138d3676f9e50b66fd0fb17d2 commit ab22de5d66db581138d3676f9e50b66fd0fb17d2 Author: Simon Wright <simon.wright@gmx.net> AuthorDate: 2021-06-06 08:36:02 +0000 Commit: Kurt Jaeger <pi@FreeBSD.org> CommitDate: 2021-06-06 11:06:57 +0000 www/drupal7: update 7.78 -> 7.80, fix security vulnerability PR: 255417 MFH: 2021Q2 Security: CVE-2020-13672 https://www.drupal.org/sa-core-2021-002 Changes: https://www.drupal.org/project/drupal/releases/7.80 Approved by: joneum (maintainer timeout) (cherry picked from commit 2b1037171f1a4591119c4bc354075b4e3503a397) www/drupal7/Makefile | 2 +- www/drupal7/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-)