Bug 18806

Summary: drupal new security issue fixed upstream in 7.44 (CVE-2016-6211)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/691830/
Whiteboard: has_procedure advisory mga5-64-ok
Source RPM: drupal-7.43-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-06-28 01:05:35 CEST 
Upstream has issued an advisory on June 15:
https://www.drupal.org/SA-CORE-2016-002

I haven't seen a CVE or CVE request for this yet.

Updated package uploaded for Mageia 5.

Advisory:
========================

Updated drupal packages fix security vulnerability:

A vulnerability exists in the User module, where if some specific contributed
or custom code triggers a rebuild of the user profile form, a registered user
can be granted all user roles on the site. This would typically result in the
user gaining administrative access (SA-CORE-2016-002).

References:
https://www.drupal.org/SA-CORE-2016-002
https://www.drupal.org/drupal-7.44
https://www.drupal.org/drupal-7.44-release-notes
========================

Updated packages in core/updates_testing:
========================
drupal-7.44-1.mga5
drupal-mysql-7.44-1.mga5
drupal-postgresql-7.44-1.mga5
drupal-sqlite-7.44-1.mga5

from drupal-7.44-1.mga5.src.rpm
Comment 1 David Walser 2016-06-28 01:05:46 CEST 
Testing procedures:
https://bugs.mageia.org/show_bug.cgi?id=14298#c6

Whiteboard: (none) => has_procedure

Comment 2 claire robinson 2016-07-07 22:43:43 CEST 
Testing complete mga5 64

updated with drupal-mysql, installed with drupal-sqlite.
no issues.

Whiteboard: has_procedure => has_procedure mga5-64-ok

Comment 3 claire robinson 2016-07-08 16:53:00 CEST 
Validating

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

claire robinson 2016-07-08 17:26:51 CEST

Whiteboard: has_procedure mga5-64-ok => has_procedure advisory mga5-64-ok

Comment 4 Mageia Robot 2016-07-08 21:51:46 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0245.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 5 David Walser 2016-07-13 15:08:30 CEST 
CVE request:
http://openwall.com/lists/oss-security/2016/07/13/4
Comment 6 David Walser 2016-07-13 19:30:06 CEST 
(In reply to David Walser from comment #5)
> CVE request:
> http://openwall.com/lists/oss-security/2016/07/13/4

CVE-2016-6211:
http://openwall.com/lists/oss-security/2016/07/13/7

Summary: drupal new security issue fixed upstream in 7.44 => drupal new security issue fixed upstream in 7.44 (CVE-2016-6211)