[3.5] drupal7: Multiple vulnerabilities (CVE-2016-9449, CVE-2016-9450, CVE-2016-9451, CVE-2016-9452)
CVE-2016-9449: Inconsistent name for term access query
CVE-2016-9450: Incorrect cache context on password reset page
CVE-2016-9451: Confirmation forms allow external URLs to be
injected
CVE-2016-9452: Denial of service via transliterate mechanism
Affected versions:
Drupal core 7.x versions prior to 7.52
Drupal core 8.x versions prior to 8.2.3
Solution:
If you use Drupal 7.x, upgrade to Drupal core 7.52
If you use Drupal 8.x, upgrade to Drupal core 8.2.3
Reference:
https://www.drupal.org/SA-CORE-2016-005
(from redmine: issue id 6492, created on 2016-11-25, closed on 2016-12-15)
- Relations:
- parent #6491 (closed)
- Changesets:
- Revision 387c6fda by Sergei Lukin on 2016-12-01T07:05:58Z:
community/drupal7: security upgrade to 7.52
fixes #6492
CVE-2016-9449, CVE-2016-9450, CVE-2016-9451, CVE-2016-9452