Welcome back to this week's Security Bulletin!
Christmas is coming..! Everyone is ready for Christmas vacations and the shopping season has started. Your email account may be filled with thousands of emails with Christmas/holiday deals and just one click on the attachments in a phishing email opens the door to scammers.
Many Christmas themed games, shopping apps and chat applications have been found malicious and we need to be careful while clicking the links on them!
Here are a few best practices to note when downloading apps and shopping online :
- Check app reviews on reputable websites.
- Review the access permissions being requested by the app and evaluate if they are necessary for the functions of the app.
- Directly type the retailers’ websites, and avoid clicking on URLs found in emails and text messages, especially from unknown senders.
- Limit the amount of personal information provided to websites and apps.
- Regularly update devices’ operating systems and apps.
Django is a high-level Python web framework and Ubuntu has addressed a security issue that the password reset functionality in Django used a Unicode case-insensitive query to retrieve accounts associated with an email address. An attacker could possibly use this to obtain password reset tokens and hijack accounts.
It affects Ubuntu 19.10, Ubuntu 19.04, Ubuntu 18.04 LTS, Ubuntu 16.04 LTS and the problem can be corrected by updating python-django packages or standard system update.
Drupal is a free open source content management system and its team has released security patches for four critical vulnerabilities. The content management systems are always the target of hackers and therefore Drupal users need to update their systems the latest release Drupal 7.69, 8.7.11, or 8.8.1.
The details of the vulnerabilities are given below:
Drupal uses a third-party library "Archive tar". Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them. The attacker can exploit the vulnerability in the method to untar archives with symlinks and it allows them to overwrite sensitive files by uploading a malicious tar file.
Denial of Service (DoS)
The vulnerability in the install.php file of Drupal 8 allows attackers to corrupt cached data of the website.
Security Restriction Bypass
The attackers can upload sensitive files like .htaccess since the file upload function in Drupal does not strip leading and trailing dot (.)
If access to media items does not configure correctly, low privileged users can gain access to restricted files
Install the latest version:
- If you are using Drupal 7.x, upgrade to Drupal 7.69.
- If you are using Drupal 8.7.x, upgrade to Drupal 8.7.11.
- If you are using Drupal 8.8.x, upgrade to Drupal 8.8.1.
Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.