Bug 12325

Summary: drupal new security issues fixed in 7.26
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, fundawang, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/581545/
Whiteboard: advisory MGA3-64-OK MGA3-32-OK
Source RPM: drupal-7.24-3.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-01-16 16:36:44 CET 
CVEs have been assigned for security issues fixed in drupal 7.26:
http://openwall.com/lists/oss-security/2014/01/16/3
https://drupal.org/SA-CORE-2014-001

Reproducible: 

Steps to Reproduce:
David Walser 2014-01-16 16:37:03 CET

Whiteboard: (none) => MGA3TOO

David Walser 2014-01-17 17:26:19 CET

Blocks: (none) => 11726

Comment 1 David Walser 2014-01-21 20:45:39 CET 
Debian has issued an advisory for this on January 20:
http://www.debian.org/security/2014/dsa-2847

URL: (none) => http://lwn.net/Vulnerabilities/581545/

Comment 2 David Walser 2014-01-26 22:59:01 CET 
Updated package uploaded for Mageia 3.  Freeze push requested for Cauldron.

Advisory:
========================

Updated drupal packages fix security vulnerabilities:

Christian Mainka and Vladislav Mladenov reported a vulnerability in the OpenID
module that allows a malicious user to log in as other users on the site,
including administrators, and hijack their accounts (CVE-2014-1475).

Matt Vance and Damien Tournoud reported an access bypass vulnerability in the
taxonomy module. Under certain circumstances, unpublished content can appear on
listing pages provided by the taxonomy module and will be visible to users who
should not have permission to see it (CVE-2014-1476).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1475
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1476
https://drupal.org/SA-CORE-2014-001
http://www.debian.org/security/2014/dsa-2847
========================

Updated packages in core/updates_testing:
========================
drupal-7.26-1.mga3
drupal-mysql-7.26-1.mga3
drupal-postgresql-7.26-1.mga3
drupal-sqlite-7.26-1.mga3

from drupal-7.26-1.mga3.src.rpm

CC: (none) => fundawang
Version: Cauldron => 3
Assignee: fundawang => qa-bugs
Whiteboard: MGA3TOO => (none)
Severity: normal => critical

Comment 3 David Walser 2014-01-26 23:16:56 CET 
drupal-7.26-1.mga4 uploaded for Cauldron.

Blocks: 11726 => (none)

Dave Hodgins 2014-01-31 01:21:35 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 4 Dave Hodgins 2014-01-31 02:42:47 CET 
Took me a while, as I'd forgotten you have to go to
http://127.0.0.1/drupal/install.php
to get the initial database creation to work.

Testing complete on Mageia 3 i586 and x86_64.

Someone from the sysadmin team please push 12325.adv to updates.

Keywords: (none) => validated_update
Whiteboard: advisory => advisory MGA3-64-OK MGA3-32-OK
CC: (none) => sysadmin-bugs

Comment 5 Thomas Backlund 2014-01-31 18:07:44 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0031.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED