Bug 13876

Summary: drupal new XML-RPC DoS security issue fixed upstream in 7.31
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: rverschelde, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/608409/
Whiteboard: MGA3TOO MGA3-32-OK mga4-64-ok has_procedure advisory
Source RPM: drupal-7.29-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-08-07 20:29:15 CEST 
Upstream has issued an advisory on August 6:
https://www.drupal.org/SA-CORE-2014-004

A CVE has been requested:
http://openwall.com/lists/oss-security/2014/08/07/1

No response yet.

Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Waiting on the CVE assignment for the advisory.

Updated packages in core/updates_testing:
========================
drupal-7.31-1.mga3
drupal-mysql-7.31-1.mga3
drupal-postgresql-7.31-1.mga3
drupal-sqlite-7.31-1.mga3
drupal-7.31-1.mga4
drupal-mysql-7.31-1.mga4
drupal-postgresql-7.31-1.mga4
drupal-sqlite-7.31-1.mga4

from SRPMS:
drupal-7.31-1.mga3.src.rpm
drupal-7.31-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-08-07 20:29:48 CEST 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=13271#c16

Whiteboard: (none) => MGA3TOO has_procedure

Comment 2 Rémi Verschelde 2014-08-07 22:10:01 CEST 
Testing complete Mageia 3 32bit.

CC: (none) => remi
Whiteboard: MGA3TOO has_procedure => MGA3TOO MGA3-32-OK has_procedure

Comment 3 Rémi Verschelde 2014-08-07 22:13:40 CEST 
I also tested installing Drupal in French btw, following the instructions given in the language choice page to retrieve translations.
Comment 4 claire robinson 2014-08-08 15:40:44 CEST 
Testing complete mga4 64

Ready to validate once advisory is uploaded.

Whiteboard: MGA3TOO MGA3-32-OK has_procedure => MGA3TOO MGA3-32-OK mga4-64-ok has_procedure

Comment 5 David Walser 2014-08-11 15:56:27 CEST 
As Claire said, this one can be validated too.

Just like wordpress, no response to the CVE request yet, so this is all I have.

Advisory:
========================

Updated drupal packages fix security vulnerability:

A denial of service issue exists in Drupal before 7.31, due to XML entity
expansion in a publicly accessible XML-RPC endpoint.

The drupal package has been updated to version 7.31 to fix this issue and
other bugs.  See the upstream advisory and release notes for more details.

References:
https://www.drupal.org/SA-CORE-2014-004
https://www.drupal.org/drupal-7.30
https://www.drupal.org/drupal-7.30-release-notes
https://www.drupal.org/drupal-7.31
https://www.drupal.org/drupal-7.31-release-notes

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 David Walser 2014-08-11 17:07:38 CEST 
Debian has issued an advisory for this on August 9:
https://www.debian.org/security/2014/dsa-2999

URL: (none) => http://lwn.net/Vulnerabilities/608409/

Comment 7 Rémi Verschelde 2014-08-11 17:48:55 CEST 
Advisory uploaded.

Whiteboard: MGA3TOO MGA3-32-OK mga4-64-ok has_procedure => MGA3TOO MGA3-32-OK mga4-64-ok has_procedure advisory

Comment 8 Mageia Robot 2014-08-12 11:17:38 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0329.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 9 David Walser 2014-08-21 19:56:54 CEST 
MITRE finally assigned some CVEs (CVE-2014-526[567]):
http://openwall.com/lists/oss-security/2014/08/16/4

LWN reference:
http://lwn.net/Vulnerabilities/609181/