SA-CONTRIB-2024-039 Clarification?

Created on 11 September 2024, 7 months ago
Updated 16 September 2024, 7 months ago

Hi,
There are two notes in the https://www.drupal.org/sa-contrib-2024-039 β†’ announcement that I hope you can clarify:

Which checkbox setting is this on /admin/config/system/seckit (is it Report Only?)
"This vulnerability is mitigated by the fact that to be affected a site must have seckit's CSP reporting functionality enabled"

Can you indicate which core versions are not vulnerable?
"Recent versions of Drupal 10 and 11 core are not vulnerable due to improved parsing of log messages."

πŸ’¬ Support request
Status

Fixed

Version

2.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States kruser

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @kruser
  • πŸ‡¬πŸ‡§United Kingdom mcdruid πŸ‡¬πŸ‡§πŸ‡ͺπŸ‡Ί

    .. a site must have seckit's CSP reporting functionality enabled

    ...isn't necessarily as simple as one checkbox, unfortunately.

    Generally if you don't have seckit's overall CSP functionality enabled at all, the endpoint for receiving violation reports will be switched off.

    In the 7.x branch, reports will not be processed (even if CSP if enabled) if:

    • The overall "disable seckit" option is enabled.
    • The report-uri value is empty.

    See: https://git.drupalcode.org/project/seckit/-/blob/7.x-1.x/seckit.module?r...

    In the 2.x branch it doesn't look like the reporting endpoint gets disabled regardless of the settings; I have a feeling there's an issue open to change that.

  • πŸ‡¬πŸ‡§United Kingdom mcdruid πŸ‡¬πŸ‡§πŸ‡ͺπŸ‡Ί

    As for which D10/11 core releases include the improvements to log parsing which mean that this issue doesn't affect them...

    https://www.drupal.org/project/drupal/issues/2481349#comment-15427053 πŸ› Prevent the use of placeholders that cannot be converted into strings when creating logs Fixed

    The commit was 4th February 2024 and was...

    .. Backported to 10.2.x as a low risk bug fix.

    Committed and pushed 367e57e7bc to 11.x and a335588be2 to 10.2.x.

    Looking at the list of core releases (not sure if there's a better place to see a listing along the with dates for each, but one way of seeing it is to look at a specific release node e.g. https://www.drupal.org/project/drupal/releases/10.3.4 β†’ ), the relevant ones seem to be:

    10.2.7 - 6 June 2024
    10.3.0-rc1 - 5 June 2024
    10.3.0-beta1 - 17 May 2024
    10.2.6 - 1 May 2024
    10.4.x-dev - 30 April 2024
    10.2.5 - 3 April 2024
    10.2.4 - 6 March 2024
    10.3.x-dev - 21 February 2024
    10.2.3 - 7 February 2024
    10.1.8 - 17 January 2024
    10.2.2 - 17 January 2024 
    

    So we might assume that all stable 10.3.x releases have the change, and it was most likely included in 10.2.3

    Checking that: https://git.drupalcode.org/project/drupal/-/blob/10.2.3/core/lib/Drupal/...

    Yes, it was included in 10.2.3 - so that release any anything more recent should be unaffected.

    At the time of issuing the SA, the most recent Security Release of 10.2.x is still 10.2.2 from a few weeks before that change was committed, which is why the 2.x branch of seckit was still included in the SA.

  • Status changed to Fixed 7 months ago
  • πŸ‡¬πŸ‡§United Kingdom mcdruid πŸ‡¬πŸ‡§πŸ‡ͺπŸ‡Ί

    Hopefully clarification has been provided, so closing as we don't need more open issues in the queue :)

  • πŸ‡¬πŸ‡§United Kingdom mcdruid πŸ‡¬πŸ‡§πŸ‡ͺπŸ‡Ί
  • πŸ‡ΊπŸ‡ΈUnited States kruser

    thank you!

  • Automatically closed - issue fixed for 2 weeks with no activity.

Production build 0.71.5 2024