Bug 17815

Summary: drupal new security issues fixed upstream in 7.43
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: lewyssmith, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/677958/
Whiteboard: has_procedure advisory MGA5-64-OK
Source RPM: drupal-7.41-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-02-24 22:51:30 CET 
Upstream has issued an advisory today (February 24):
https://www.drupal.org/SA-CORE-2016-001

CVEs have been requested:
http://openwall.com/lists/oss-security/2016/02/24/19

Updated package uploaded for Mageia 5.

Advisory to come later.

References:
https://www.drupal.org/SA-CORE-2016-001
https://www.drupal.org/drupal-7.42
https://www.drupal.org/drupal-7.42-release-notes
https://www.drupal.org/drupal-7.43
https://www.drupal.org/drupal-7.43-release-notes
========================

Updated packages in core/updates_testing:
========================
drupal-7.43-1.mga5
drupal-mysql-7.43-1.mga5
drupal-postgresql-7.43-1.mga5
drupal-sqlite-7.43-1.mga5

from drupal-7.43-1.mga5.src.rpm
Comment 1 David Walser 2016-02-24 22:51:47 CET 
Testing procedures:
https://bugs.mageia.org/show_bug.cgi?id=14298#c6

Whiteboard: (none) => has_procedure

Comment 2 Lewis Smith 2016-02-26 20:24:41 CET 
Testing MGA5 x64 with PostgreSQL

I had all this already installed, so updated to:
 drupal-7.43-1.mga5
 drupal-postgresql-7.43-1.mga5
and played with it a bit, editing, upload of an image. All seems OK.

CC: (none) => lewyssmith
Whiteboard: has_procedure => has_procedure MGA5-64-OK

Comment 3 claire robinson 2016-02-27 16:24:28 CET 
Testing complete mysql (mariadb)

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 claire robinson 2016-02-27 21:16:02 CET 
This one needs an advisory please David
Comment 5 David Walser 2016-02-27 21:31:41 CET 
Still no CVEs :o(

Advisory:
========================

Updated drupal packages fix security vulnerabilities:

The drupal package has been update to version 7.43, which fixes several
security issues and other bugs.  See the upstream advisory and release
notes for details.

References:
https://www.drupal.org/SA-CORE-2016-001
https://www.drupal.org/drupal-7.42
https://www.drupal.org/drupal-7.42-release-notes
https://www.drupal.org/drupal-7.43
https://www.drupal.org/drupal-7.43-release-notes
Comment 6 claire robinson 2016-02-27 21:44:02 CET 
Thanks. Advisory uploaded.

Whiteboard: has_procedure MGA5-64-OK => has_procedure advisory MGA5-64-OK

Comment 7 David Walser 2016-02-29 23:09:24 CET 
Debian has issued an advisory for this on February 28:
https://www.debian.org/security/2016/dsa-3498

URL: (none) => http://lwn.net/Vulnerabilities/677958/

Comment 8 Mageia Robot 2016-03-02 19:30:12 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0087.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 9 David Walser 2016-03-16 12:27:04 CET 
CVEs have finally been assigned for this:
http://openwall.com/lists/oss-security/2016/03/15/10

CVE-2016-316[2-4], CVE-2016-316[89], CVE-2016-3170 applied to us.