| Summary: | drupal new security issues fixed upstream in 7.24 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | davidwhodgins, fundawang, oe, sysadmin-bugs, tmb |
| Version: | 3 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/575042/ | ||
| Whiteboard: | advisory MGA3-64-OK MGA3-32-OK | ||
| Source RPM: | drupal-7.24-1.mga3 | CVE: | |
| Status comment: | |||
|
Description
David Walser
2013-11-22 03:08:58 CET
David Walser
2013-11-22 03:09:21 CET
Whiteboard:
(none) =>
MGA3TOO, MGA2TOO
David Walser
2013-11-22 03:09:48 CET
Blocks:
(none) =>
11726 Removing Mageia 2 from the whiteboard due to EOL. http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/ Whiteboard:
MGA3TOO, MGA2TOO =>
MGA3TOO CVE information for the drupal update is here: http://openwall.com/lists/oss-security/2013/11/22/4 drupal-7.24-1.mga4 uploaded for Cauldron. Version:
Cauldron =>
3
Funda Wang
2013-11-24 16:48:38 CET
Blocks:
11726 =>
(none) Uploaded drupal-7.24-1.mga3 into core/updates_testing. Source RPM:
drupal-7.22-2.mga4.src.rpm =>
drupal-7.24-1.mga3 Thanks Funda! Updated packages in updates_testing: drupal-7.24-1.mga3 drupal-mysql-7.24-1.mga3 drupal-postgresql-7.24-1.mga3 drupal-sqlite-7.24-1.mga3 from drupal-7.24-1.mga3.src.rpm Advisory to come. CC:
(none) =>
fundawang Funda, according to the upstream advisory, one more php_flag setting should be added to the <IfModule mod_php5.c> section in drupal.conf:
php_flag engine off
(see the "Warning: Fixing the code execution prevention may require server configuration" section).
https://drupal.org/SA-CORE-2013-003
Does that look right to you? Does that need to be added in the package?
Advisory: ======================== Updated drupal packages fix security vulnerabilities: Drupal's form API has built-in cross-site request forgery (CSRF) validation, and also allows any module to perform its own validation on the form. In certain common cases, form validation functions may execute unsafe operations (CVE-2013-6385). Drupal core directly used the mt_rand() pseudorandom number generator for generating security related strings used in several core modules. It was found that brute force tools could determine the seeds making these strings predictable under certain circumstances (CVE-2013-6386). Image field descriptions are not properly sanitized before they are printed to HTML, thereby exposing a cross-site scripting vulnerability (CVE-2013-6387). A cross-site scripting vulnerability was found in the Color module. A malicious attacker could trick an authenticated administrative user into visiting a page containing specific JavaScript that could lead to a reflected cross-site scripting attack via JavaScript execution in CSS (CVE-2013-6388). The Overlay module displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module did not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability (CVE-2013-6389). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6385 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6386 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6387 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6388 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6389 https://drupal.org/SA-CORE-2013-003 http://openwall.com/lists/oss-security/2013/11/22/4 ======================== Updated packages in core/updates_testing: ======================== drupal-7.24-1.mga3 drupal-mysql-7.24-1.mga3 drupal-postgresql-7.24-1.mga3 drupal-sqlite-7.24-1.mga3 from drupal-7.24-1.mga3.src.rpm Mandriva has issued an advisory for this today (November 26): http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:287/ URL:
(none) =>
http://lwn.net/Vulnerabilities/575042/ If I'm not mistaking we disabled .htaccess scanning a long time ago in mandriva, due to performance and security issues, but I do not know if this has been removed in mga3+. Either way this has been fixed in drupal-7.24-1.1.mga3 I was not able to force it to use /var/tmp/drupal which would be preferred in this case. So, access restrictions applies to /var/tmp, *BUT* if the user changes this in the configuration all bets are off if .htaccess scanning is disabled. drupal tries to mitigate this by adding a .htaccess file in the /var/lib/drupal/files/default/ and /var/tmp directories if not found. CC:
(none) =>
oe fixed with drupal-7.24-1.1.mga3 and drupal-7.24-2.mga4 Putting files in /var/tmp is disallowed by the mageia build system so tmp is now at /var/lib/drupal/tmp. Advisory 11729.adv committed to svn CC:
(none) =>
davidwhodgins Testing complete on Mageia 3 i586 and x86_64. Someone from the sysadmin team please push 11729.adv to updates. Keywords:
(none) =>
validated_update Update pushed: http://advisories.mageia.org/MGASA-2013-0359.html Status:
NEW =>
RESOLVED |