En

Drupal官网安全更新(2020-09-16)

来源:Drupal官网 发布日期:2020-09-16 阅读次数:1340 评论:0

基本信息

发布日期:2020-09-16(官方当地时间)

更新类型:安全更新

更新版本:8.8.10

感知时间:2020-09-17 02:22:00

风险等级:未知

情报贡献:TSRC

更新标题

drupal 8.8.10

更新详情

Maintenance and security release of the Drupal 8 series.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:
Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-007
Drupal core - Moderately critical - Access bypass - SA-CORE-2020-008
Drupal core - Critical - Cross-site scripting - SA-CORE-2020-009
Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-010
Drupal core - Moderately critical - Information disclosure - SA-CORE-2020-011
No other fixes are included.
Which release do I choose? Security coverage information
Drupal 8.8.x will receive security coverage until December 2, 2020 when Drupal 9.1.0 is released.
Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.
Important update information

Once a site running Workspaces is upgraded for SA-CORE-2020-008, authenticated users may continue to see unauthorized workspace content that they accessed previously until they are logged out.
If it is important for the unintended access to stop immediately, you may wish to end all active user sessions on your site (for example, by truncating the sessions table). Be aware that this will immediately log all users out and can cause side effects like lost user input.


Sites that override \Drupal\Core\Form\FormBuilder's renderPlaceholderFormAction() and/or buildFormAction() methods in contrib and/or custom code should ensure that appropriate sanitization is applied for URLs for SA-CORE-2020-009.


Any site that relies on Drupal's AJAX API to perform trusted JSONP requests will need to either override the AJAX options to set "jsonp: true" or use the jQuery AJAX API directly.
If you are using jQuery's AJAX API for user-provided URLs in a contrib or custom module, you should review your code and set "jsonp: false" where this is appropriate.


No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security update

软件描述

Drupal是使用PHP语言编写的开源内容管理框架(CMF),它由内容管理系统(CMS)和PHP开发框架(Framework)共同构成。

CVE编号

TSRC分析

暂无

业界资讯

暂无

评论

提交评论 您输入的评论有误,请重新输入