Detections
Analytics

Fedora 30 : drupal7 (2019-5f1a2cc839)

high Nessus Plugin ID 132647

Language:

Synopsis

The remote Fedora host is missing a security update.

Description

RPM notes :

 - All docs are now in `/usr/share/doc/drupal7/`

 - All licenses are now in `/usr/share/licenses/drupal7/`

 - Requires have been updated to include all [phpcompatinfo](http://php5.laurent-laville.org/compatin fo/) extension findings

### 7.69

Maintenance and security release of the Drupal 7 series.

This release fixes **security vulnerabilities**. Sites are **[urged to upgrade immediately](https://www.drupal.org/docs/7/update/introduction)** after reading the notes below and the security announcement :

 - [Drupal core - Critical - Multiple vulnerabilities - SA-CORE-2019-012](https://www.drupal.org/sa-core-2019-01 2)

No other fixes are included.

#### Important update information

 - Drupal 7 includes a bundled version of the pear/archive_tar project, the included version has been updated from 1.4.5 to 1.4.9 in order to mitigate [Drupal core - Critical - Multiple vulnerabilities - SA-CORE-2019-012](https://www.drupal.org/sa-core-2019-01 2)

No changes have been made to the `.htaccess`, `web.config`, `robots.txt`, or default `settings.php` files in this release, so upgrading custom versions of those files is not necessary.

### 7.68

Maintenance release of the Drupal 7 series. Includes bug fixes and small API/feature improvements only (no major, non-backwards-compatible new functionality).

No security fixes are included in this release.

**This is the first release to fully support PHP 7.3. Please test and report any bugs in the issue queue.**

No changes have been made to robots.txt in this release, so upgrading custom versions of that file is not necessary.

However, changes have been made to .htaccess, web.config and sites/default/default.settings.php in this release.

The .htaccess and web.config changes are detailed in this Change Record :

 - Access to web.config is blocked in .htaccess (and vice-versa): https://www.drupal.org/node/3098687

Upgrading custom versions of .htaccess and web.config to incorporate this change is recommended, but not required.

There is one change to the sites/default/default.settings.php file in this release, but the only change is to file permissions :

 - [Regression] Fix default.settings.php permission:
 https://www.drupal.org/node/3035772

#### Major changes since 7.67

 - Fully support PHP 7.3

 - drupal_http_request() accepts data as an array in Drupal 7

 - Access to web.config is blocked in .htaccess (and vice-versa)

 - New 'scripts' element

 - theme_table() takes an optional footer variable and produces <tfoot>

#### All changes since 7.67

 - \#3098664 by mcdruid: drupal_http_build_query() only accepts arrays (followup to #3059391)

 - \#3097342 by mcdruid, Fabianx: Prepare Drupal 7.68 (CHANGELOG.txt)

 - \#3088938 by DamienMcKenna, webchick, mcdruid: Update the D7 maintainers list

 - \#2902430 by stefanos.petrakis, joseph.olstad, SergFromSD, kiamlaluno, Ayesh, mcdruid, alexpott: [PHP 7.1] A non-numeric value encountered in theme_pager()

 - \#2472025 by stupiddingo, stefanos.petrakis: [D7] Hide toolbar when printing

 - \#2171113 by Pol, wiifm, mw4ll4c3, David_Rothstein, douggreen, Fabianx: Settings returned via ajax are not run through hook_js_alter()

 - \#3059391 by Liam Morland: Use drupal_http_build_query() in drupal_http_request()

 - \#2966335 by mcdruid, dvandijk, David_Rothstein: Avoid DrupalRequestSanitizer not found fatal error when bootstrap phase order is changed

 - \#3025335 by mcdruid, mfb, joseph.olstad, Fabianx, kiamlaluno, Pol: [PHP 7.3] Cannot change session id when session is active

 - \#3055805 by mcdruid, greggles, Ayesh, Darren Oh, David_Rothstein, sidharrell, pwolanin, mkalkbrenner, Sweetchuck, YesCT: file.inc generated .htaccess does not cover PHP 7

 - \#3047412 by mcdruid, Chi, beckydev, DKAN, alexpott, sammuell, rabbitlair, longwave, greggles, interX: Block web.config in .htaccess (and vice-versa)

 - \#3047844 by mfb, jordanwood, Taran2L: Fix test failures on PHP 5.3

 - \#3088557: Add mcdruid as provisional Drupal 7 branch maintainer

 - \#3051370 by Pol, markcarver, Fabianx: Create 'scripts' element to align rendering workflow to how 'styles' are handled

 - \#2814031 by Liam Morland: In drupal_http_request(), allow passing data as array

 - \#1861604 by hefox, joseph.olstad, Sivaji, mgifford, webchick: Skip module_invoke/module_hook in calling hook_watchdog (excessive function_exist)

 - \#2666908 by iamEAP, cilefen: HTTP status 200 returned for &rdquo;Additional uncaught exception thrown while handling exception&rdquo;

 - \#1892654 by Pol, willvincent, Fabianx: D7 Backport:
 theme_table() should take an optional footer variable and produce

 - \#3009351 by Pol, mfb, BrianLP: [PHP &ge; 7.2] 'session_id(): Cannot change session id'

 - \#2684337 by geoffray, Pol, jweowu, Fabianx: Warning:
 uasort() expects parameter 1 to be array, null given in node_view_multiple()

 - \#3035772 by Pol: [Regression] Fix default.settings.php permission

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected drupal7 package.

See Also

http://php5.laurent-laville.org/compatinfo/

https://bodhi.fedoraproject.org/updates/FEDORA-2019-5f1a2cc839

https://www.drupal.org/docs/7/update/introduction)**

Plugin Details

Severity: High

ID: 132647

File Name: fedora_2019-5f1a2cc839.nasl

Version: 1.1

Type: local

Agent: unix

Published: 1/6/2020

Updated: 1/6/2020

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:drupal7, cpe:/o:fedoraproject:fedora:30

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Patch Publication Date: 1/4/2020

Vulnerability Publication Date: 1/4/2020

Reference Information