Bug 14298

Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory to come later.  For now see the reference in Comment 0.

drupal-7.32-1.mga3.src.rpm
drupal-7.32-1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Debian has issued an advisory for this on October 15:
http://www.debian.org/security/2014/dsa-3051

This is highly critical and should be considered a priority update.

Advisory:
========================

Updated drupal packages fix security vulnerability:

An SQL Injection issue exists in Drupal before 7.32 due to the way the Drupal
core handles prepared statements. A malicious user can inject arbitrary SQL
queries, and thereby completely control the Drupal site. This vulnerability
can be exploited by remote attackers without any kind of authentication
required (CVE-2014-3704).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704
https://www.drupal.org/SA-CORE-2014-005
https://www.drupal.org/drupal-7.31
https://www.drupal.org/drupal-7.31-release-notes
http://www.sektioneins.com/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html
http://www.debian.org/security/2014/dsa-3051
========================

Updated packages in core/updates_testing:
========================
drupal-7.32-1.mga3
drupal-mysql-7.32-1.mga3
drupal-postgresql-7.32-1.mga3
drupal-sqlite-7.32-1.mga3
drupal-7.32-1.mga4
drupal-mysql-7.32-1.mga4
drupal-postgresql-7.32-1.mga4
drupal-sqlite-7.32-1.mga4

from SRPMS:
drupal-7.32-1.mga3.src.rpm
drupal-7.32-1.mga4.src.rpm

Correcting the 7.31/7.32 links in the advisory.


Advisory:
========================

Updated drupal packages fix security vulnerability:

An SQL Injection issue exists in Drupal before 7.32 due to the way the Drupal
core handles prepared statements. A malicious user can inject arbitrary SQL
queries, and thereby completely control the Drupal site. This vulnerability
can be exploited by remote attackers without any kind of authentication
required (CVE-2014-3704).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704
https://www.drupal.org/SA-CORE-2014-005
https://www.drupal.org/drupal-7.32
https://www.drupal.org/drupal-7.32-release-notes
http://www.sektioneins.com/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html
http://www.debian.org/security/2014/dsa-3051
========================

Updated packages in core/updates_testing:
========================
drupal-7.32-1.mga3
drupal-mysql-7.32-1.mga3
drupal-postgresql-7.32-1.mga3
drupal-sqlite-7.32-1.mga3
drupal-7.32-1.mga4
drupal-mysql-7.32-1.mga4
drupal-postgresql-7.32-1.mga4
drupal-sqlite-7.32-1.mga4

from SRPMS:
drupal-7.32-1.mga3.src.rpm
drupal-7.32-1.mga4.src.rpm

Testing on Mageia4-64 real hardware.

As I didn't know if there was anything specific to test, I installed updated-testing packages as listed and then installed drupal following installation guide found here :
https://www.drupal.org/documentation/install.


With MCC :

- drupal-7.32-1.mga4.noarch
- drupal-mysql-7.32-1.mga4.noarch
- drupal-postgresql-7.32-1.mga4.noarch
- drupal-sqlite-7.32-1.mga4.noarch
- php-pdo_mysql-5.5.16-1.mga4.x86_64
- php-pdo_pgsql-5.5.16-1.mga4.x86_64
- php-pdo_sqlite-5.5.16-1.mga4.x86_64
- php-uploadprogress-1.0.3.1-7.mga4.x86_64

Created a database in command line :

# mysqladmin -u root -p create drupzitoun
# mysql -u root -p
> GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES ON drupzitoun.* TO 'root'@'localhost' IDENTIFIED BY 'password';
> exit

Set up drupal

# cd /usr/share/drupal
# cp sites/default/default.settings.php sites/default/settings.php
# chmod a+w sites/default/settings.php
chmod a+w sites/default

In firefox web browser :

http://http://localhost/drupal/install.php

Followed installation steps :

Drupal
Installation tasks

    Choose profile(done)
    Choose language(done)
    Verify requirements(done)
    Set up database(done)
    Install profile

All necessary changes to sites/default and sites/default/settings.php have been made, so you should remove write permissions to them now in order to avoid security risks. If you are unsure how to do so, consult the online handbook.

# chmod 644 sites/default/settings.php
# cd sites
# chmod 755 default

Drupal installed without any problem.

Then, connected to http://drupal which opened a start page where I created articles, menus, links, installed modules, logged out, logged back in, edit, deleted articles ...

Everything went well.

If there is any other step to follow, I'll be happy to do it for further testing.

CC: (none) => olchal

That's sufficient, thanks Olivier.

See comment 4 and https://bugs.mageia.org/show_bug.cgi?id=13271#c16 for testing procedures.

CC: (none) => remi
Whiteboard: MGA3TOO => MGA3TOO has_procedure

I am trying this also M4 x64 using PostgreSQL, but after installing & configuring Drupal from normal repos (thanks to Olivier for his excellent instructions in Comment 4), I am having problems with Updates Testing which (among a raft of updates) does not show Drupal at all. Have tried twice at both sides of a night,
 # urpmi.update "Core Updates Testing" yields the 'aria2' error. Will try again, tonight.

CC: (none) => lewyssmith

M4 x64 using PostgreSQL.
Eventually managed to update Drupal to:
 drupal-postgresql-7.32-1.mga4
 drupal-7.32-1.mga4
Re-launched it, played a little bit (being clueless about it), it worked OK as before the update. Edited a page, changed a picture. *Much* less than Comment 4.

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-64-OK

Testing on Mageia4-32, real HW

First installing normal packages :

- drupal-7.31-1.mga4.noarch
- drupal-mysql-7.31-1.mga4.noarch
- php-pdo_mysql-5.5.16-1.mga4.i586
- php-uploadprogress-1.0.3.1-7.mga4.i586

Set up drupal as before using mysql(comment 4)

Everything OK (installation, basic usage)


Updating to drupal-testing :
- drupal-7.32-1.mga4.noarch
- drupal-mysql-7.32-1.mga4.noarch

Connected to http://localhost/drupal
Found my first project, basic usage ok.

Whiteboard: MGA3TOO has_procedure MGA4-64-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32 OK

Advisory uploaded, ready to be pushed once it's been tested on Mageia 3.

Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK advisory

I can test Mageia 3.

CC: (none) => ozkyster

I try to test it but i get several errors in terminal mysql:
I cannot set mysql root password even try to edit file /etc/my.cnf.

mysqladmin -u root password '*********':

mysqladmin: connect to server at 'localhost' failed
error: 'Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)'
Check that mysqld is running and that the socket: '/var/lib/mysql/mysql.sock' exists!

Is this because of virtualbox ?.

Did you start mysqld with: systemctl start mysqld ?

If you're stuck with mariadb you can have a look at some instructions I wrote here, that might help you change the password if you forgot it: https://bugs.mageia.org/show_bug.cgi?id=14208#c6

Mageia 3 testing done it no any problems found i validated update.
Sysadmin please push this update.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK advisory => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-64-OK MGA3-32-OK advisory

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0423.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED