| Summary: | drupal new security issue fixed upstream in 7.41 (CVE-2015-7943) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, lewyssmith, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/662052/ | ||
| Whiteboard: | has_procedure advisory MGA5-64-OK | ||
| Source RPM: | drupal-7.39-1.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-10-22 19:21:09 CEST
Testing procedures: https://bugs.mageia.org/show_bug.cgi?id=14298#c6 Whiteboard:
(none) =>
has_procedure CVE-2015-7943 assigned: http://openwall.com/lists/oss-security/2015/10/23/6 Advisory: ======================== Updated drupal packages fix security vulnerability: The Overlay module in Drupal core displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module does not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability (CVE-2015-7943). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7943 https://www.drupal.org/SA-CORE-2015-004 https://www.drupal.org/drupal-7.40 https://www.drupal.org/drupal-7.40-release-notes https://www.drupal.org/drupal-7.41 https://www.drupal.org/drupal-7.41-release-notes http://openwall.com/lists/oss-security/2015/10/23/6 Summary:
drupal new security issues fixed upstream in 7.41 =>
drupal new security issue fixed upstream in 7.41 (CVE-2015-7943)
Dave Hodgins
2015-10-25 23:34:59 CET
CC:
(none) =>
davidwhodgins
David Walser
2015-10-26 20:58:21 CET
URL:
(none) =>
http://lwn.net/Vulnerabilities/662052/ Testing M5 x64 using PostgreSQL. Updated from: drupal-7.39-1.mga5 drupal-postgresql-7.39-1.mga5 to: drupal-7.41-1.mga5 drupal-postgresql-7.41-1.mga5 Played with the result, edited a page, added a user. All seems OK within my limited knowledge of how to drive this thing. Update deemed OK. It would be nice if a 32-bit tester could use a different database, to try two variables at once. CC:
(none) =>
lewyssmith Potential issue: Files (.php, .txt etc.) aswell as directories under /etc/drupal/sites are executable with 755 apache:apache permissions. Previous version is the same so it may always have been this way. Other than the above, installed and tested ok mga5 32 mysql. Created an article with an image . Adding feedback for now. Whiteboard:
has_procedure advisory MGA5-64-OK =>
has_procedure advisory MGA5-64-OK feedback Nice catch, that's definitely wrong. An %attr with 0755 was on the line for /etc/drupal/sites, but not marked as %dir. The 0755 should be unnecessary, so I deleted it. drupal-7.41-1.1.mga5 submitted. Whiteboard:
has_procedure advisory MGA5-64-OK feedback =>
has_procedure MGA5-64-OK Retested x86_64, confirmed the fix. All seems ok. Validating drupal-7.41-1.1.mga5. Keywords:
(none) =>
validated_update Advisory updated in SVN. Whiteboard:
has_procedure MGA5-64-OK =>
has_procedure advisory MGA5-64-OK An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0425.html Status:
NEW =>
RESOLVED |