Security Advisories
SA-CORE-2013-002 - Drupal core - Denial of service
- Advisory ID: DRUPAL-SA-CORE-2013-002
- Project: Drupal core
- Version: 7.x
- Date: 2013-February-20
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Denial of service
Drupal core's Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting a large number of new derivatives which can fill up the server disk space, and which can cause a very high CPU load. Either of these effects may lead to the site becoming unavailable or unresponsive.
Please see the Drupal 7.20 release notes for important notes about the changes which were made to fix this issue, since some sites will require extra testing and care when deploying this Drupal core release.
CVE identifier(s) issued- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
- Drupal core 7.x versions prior to 7.20.
Install the latest version:
- If you use Drupal 7.x, upgrade to Drupal core 7.20.
Also see the Drupal core project page.
Reported by Fixed by- Damien Tournoud of the Drupal Security Team
- Peter Wolanin of the Drupal Security Team
- David Rothstein of the Drupal Security Team
- Heine Deelstra of the Drupal Security Team
- Bèr Kessels
- David Rothstein of the Drupal Security Team
- Stéphane Corlosquet of the Drupal Security Team
- Peter Wolanin of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
SA-CORE-2013-002 - Drupal core - Denial of service
- Advisory ID: DRUPAL-SA-CORE-2013-002
- Project: Drupal core
- Version: 7.x
- Date: 2013-February-20
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Denial of service
Drupal core's Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting a large number of new derivatives which can fill up the server disk space, and which can cause a very high CPU load. Either of these effects may lead to the site becoming unavailable or unresponsive.
Please see the Drupal 7.20 release notes for important notes about the changes which were made to fix this issue, since some sites will require extra testing and care when deploying this Drupal core release.
CVE identifier(s) issued- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
- Drupal core 7.x versions prior to 7.20.
Install the latest version:
- If you use Drupal 7.x, upgrade to Drupal core 7.20.
Also see the Drupal core project page.
Reported by Fixed by- Damien Tournoud of the Drupal Security Team
- Peter Wolanin of the Drupal Security Team
- David Rothstein of the Drupal Security Team
- Heine Deelstra of the Drupal Security Team
- Bèr Kessels
- David Rothstein of the Drupal Security Team
- Stéphane Corlosquet of the Drupal Security Team
- Peter Wolanin of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.