[oss-security] CVE Request -- Drupal 7 -- Access bypass in node listings (SA-CORE-2011-002)

From: Jan Lieskovsky <jlieskov_at_nospam>
Date: Mon Jul 11 2011 - 10:44:12 GMT
To: "Steven M. Christey" <coley@linus.mitre.org>

Hello Josh, Steve, vendors,

this:
[1] http://drupal.org/node/1204582

From [1]: Access bypass in node listings:
=========================================

   Listings showing nodes but not JOINing the node table show all
   nodes regardless of restrictions imposed by the node_access system.
   In core, this affects the taxonomy and the forum subsystem.

...

Versions affected:
==================

Drupal 7.0, 7.1 and 7.2.

References:
------------
[2] https://bugzilla.redhat.com/show_bug.cgi?id=717874
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=633385

doesn't seem to have a CVE identifier allocated yet. Could you allocate one?

Thank you && Regards, Jan.
-- Jan iankko Lieskovsky / Red Hat Security Response Team

This message: [ Message body ]
Next message: Ludwig Nussel: "Re: [oss-security] CVE request: crypt_blowfish 8-bit character mishandling"
Previous message: Ludwig Nussel: "[oss-security] CVE Request: ruby PRNG fixes"
Next in thread: Josh Bressers: "Re: [oss-security] CVE Request -- Drupal 7 -- Access bypass in node listings (SA-CORE-2011-002)"
Reply: Josh Bressers: "Re: [oss-security] CVE Request -- Drupal 7 -- Access bypass in node listings (SA-CORE-2011-002)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]