CVE-2016-3171

Published: 12 April 2016

Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.

Priority

CVSS 3 base score: 8.1

Status

Package	Release	Status
drupal6 Launchpad, Ubuntu, Debian	precise	Does not exist (precise was needed)
	trusty	Does not exist
	upstream	Released (6.38)
	wily	Does not exist
	xenial	Does not exist
	yakkety	Does not exist
	zesty	Does not exist
drupal7 Launchpad, Ubuntu, Debian	precise	Does not exist (precise was not-affected)
	trusty	Does not exist (trusty was not-affected)
	upstream	Not vulnerable
	wily	Not vulnerable
	xenial	Not vulnerable
	yakkety	Not vulnerable
	zesty	Not vulnerable

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3171
https://www.drupal.org/SA-CORE-2016-001
http://www.openwall.com/lists/oss-security/2016/02/24/19
NVD
Launchpad
Debian

Bugs

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›