Bug 255417 - www/drupal7: Update to 7.80 (fixes security vulnerability)
Summary: www/drupal7: Update to 7.80 (fixes security vulnerability)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Kurt Jaeger
URL: https://www.drupal.org/sa-core-2021-002
Keywords: security
Depends on:
Blocks:
 
Reported: 2021-04-26 12:51 UTC by Simon Wright
Modified: 2021-06-06 11:08 UTC (History)
3 users (show)

See Also:
pi: maintainer-feedback-
pi: merge-quarterly+


Attachments
Patch to update Drupal 7.78 to 7.80 (809 bytes, patch)
2021-04-26 12:51 UTC, Simon Wright
simon.wright: maintainer-approval?
Details | Diff
poudriere testport build log (33.60 KB, text/plain)
2021-04-26 12:52 UTC, Simon Wright
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Simon Wright 2021-04-26 12:51:52 UTC
Created attachment 224441 [details]
Patch to update Drupal 7.78 to 7.80

Project: Drupal core
Date: 2021-April-21
Security risk: Critical 15∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
Vulnerability: Cross-site scripting
Description: 

Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances.

Not all sites and users are affected, but configuration changes to prevent the exploit might be impractical and will vary between sites. Therefore, we recommend all sites update to this release as soon as possible.

https://www.drupal.org/sa-core-2021-002

No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.
Comment 1 Simon Wright 2021-04-26 12:52:46 UTC
Created attachment 224442 [details]
poudriere testport build log
Comment 2 Simon Wright 2021-05-18 02:05:28 UTC
Mail sent to maintainer.
Comment 3 Kurt Jaeger freebsd_committer 2021-05-25 09:53:20 UTC
To submitter: can you provide a vuxml entry ?
Comment 4 Simon Wright 2021-05-25 11:06:53 UTC
I don't think there is one Kurt. The last entry for Drupal 7 is from 2020-10-17 which is for the upgrade to 7.73.
Comment 5 Kurt Jaeger freebsd_committer 2021-05-25 15:57:07 UTC
(In reply to Simon Wright from comment #4)
Yes, because there is no vuxml entry for the bug: Can you have a look
at vuxml and try to compose a vuxml entry and add it to this PR ?
Comment 6 Kubilay Kocak freebsd_committer freebsd_triage 2021-05-26 00:49:22 UTC
Any other port/drupal/package names/versions vulnerable or affected?
Comment 7 Simon Wright 2021-05-26 11:13:39 UTC
This vulnerability and patch only affects Drupal 7.x to 7.78.

Here is what I came up with for the vuxml entry:

  <vuln vid="f70ab05e-be06-11eb-b983-000c294bb613">
    <topic> -- </topic>
    <affects>
      <package>
        <name>drupal7</name>
        <range><gt>7.0</gt><lt>7.80</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>Drupal Security team reports:</p>
        <blockquote cite="https://www.drupal.org/sa-core-2021-002">
          <p>Drupal core's sanitization API fails to properly filter cross-site
scripting under certain circumstances. Not all sites and users are affected, but configuration changes to prevent the exploit might be impractical and will vary between sites. Therefore, we recommend all sites update to this release as soon as possible.</p>
        </blockquote>
      </body>
    </description>
    <references>
        <cvename>CVE-2020-13672</cvename>
    </references>
    <dates>
      <discovery>2021-04-21</discovery>
      <entry></entry>
    </dates>
  </vuln>

As instructed I added it to the top of vuln.xml then make validate gives me this error:

/usr/ports/security/vuxml$ sudo make validate
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln-flat.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy"
/usr/ports/security/vuxml/vuln-flat.xml:1: parser error : Document is empty

^
unable to parse /usr/ports/security/vuxml/vuln-flat.xml
*** Error code 6

Stop.
make: stopped in /usr/ports/security/vuxml
and vuln-flat.xml is indeed empty.
Comment 8 Simon Wright 2021-05-26 11:34:57 UTC
Deleting vuln-flat.xml and re-running make validate gives:

/usr/ports/security/vuxml$ sudo make validate
xmllint -noent vuln.xml > vuln-flat.xml
vuln.xml:103: parser error : Extra content at the end of the document
  <vuln vid="58b22f3a-bc71-11eb-b9c9-6cc21735f730">
  ^
*** Error code 1

Stop.
make: stopped in /usr/ports/security/vuxml
Comment 9 commit-hook freebsd_committer 2021-06-06 08:42:44 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=2b1037171f1a4591119c4bc354075b4e3503a397

commit 2b1037171f1a4591119c4bc354075b4e3503a397
Author:     Simon Wright <simon.wright@gmx.net>
AuthorDate: 2021-06-06 08:36:02 +0000
Commit:     Kurt Jaeger <pi@FreeBSD.org>
CommitDate: 2021-06-06 08:42:19 +0000

    www/drupal7: update 7.78 -> 7.80, fix security vulnerability

    PR:             255417
    MFH:            2021Q2
    Security:       CVE-2020-13672
                    https://www.drupal.org/sa-core-2021-002
    Changes:        https://www.drupal.org/project/drupal/releases/7.80
    Approved by:    joneum (maintainer timeout)

 www/drupal7/Makefile | 2 +-
 www/drupal7/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)
Comment 10 Kurt Jaeger freebsd_committer 2021-06-06 08:50:59 UTC
Committed, also the provided vuxml entry with minor formatting fixes.
Comment 11 commit-hook freebsd_committer 2021-06-06 11:08:11 UTC
A commit in branch 2021Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=ab22de5d66db581138d3676f9e50b66fd0fb17d2

commit ab22de5d66db581138d3676f9e50b66fd0fb17d2
Author:     Simon Wright <simon.wright@gmx.net>
AuthorDate: 2021-06-06 08:36:02 +0000
Commit:     Kurt Jaeger <pi@FreeBSD.org>
CommitDate: 2021-06-06 11:06:57 +0000

    www/drupal7: update 7.78 -> 7.80, fix security vulnerability

    PR:             255417
    MFH:            2021Q2
    Security:       CVE-2020-13672
                    https://www.drupal.org/sa-core-2021-002
    Changes:        https://www.drupal.org/project/drupal/releases/7.80
    Approved by:    joneum (maintainer timeout)

    (cherry picked from commit 2b1037171f1a4591119c4bc354075b4e3503a397)

 www/drupal7/Makefile | 2 +-
 www/drupal7/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)