Bug 19812

Testing procedures:
https://bugs.mageia.org/show_bug.cgi?id=14298#c6

Whiteboard: (none) => has_procedure

Debian has issued an advisory for this on November 17:
https://www.debian.org/security/2016/dsa-3718

URL: (none) => http://lwn.net/Vulnerabilities/706841/

CVE-2016-9449 and CVE-2016-9451:
http://openwall.com/lists/oss-security/2016/11/18/16

Advisory:
========================

Updated drupal packages fix security vulnerabilities:

Inconsistent name for term access query; information on taxonomy terms might
have been disclosed to unprivileged users (CVE-2016-9449).

Confirmation forms allow external URLs to be injected (CVE-2016-9451).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9449
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9451
https://www.drupal.org/SA-CORE-2016-005
https://www.drupal.org/drupal-7.45
https://www.drupal.org/drupal-7.45-release-notes
https://www.drupal.org/drupal-7.46
https://www.drupal.org/drupal-7.46-release-notes
https://www.drupal.org/drupal-7.47
https://www.drupal.org/drupal-7.47-release-notes
https://www.drupal.org/drupal-7.48
https://www.drupal.org/drupal-7.48-release-notes
https://www.drupal.org/drupal-7.49
https://www.drupal.org/drupal-7.49-release-notes
https://www.drupal.org/drupal-7.50
https://www.drupal.org/drupal-7.50-release-notes
https://www.drupal.org/drupal-7.51
https://www.drupal.org/drupal-7.51-release-notes
https://www.drupal.org/drupal-7.52
https://www.drupal.org/drupal-7.52-release-notes
http://openwall.com/lists/oss-security/2016/11/18/16

Summary: drupal new security issues fixed upstream in 7.52 => drupal new security issues fixed upstream in 7.52 (CVE-2016-9449 and CVE-2016-9451)

LWN references with the CVEs:
https://lwn.net/Vulnerabilities/707038/
https://lwn.net/Vulnerabilities/707041/

Testing M5 x64 real hardware.

I already have Drupal installed, using Postgres, so:
 UPDATED to: drupal-7.52-1.mga5, drupal-postgresql-7.52-1.mga5
without problems.

Played with it (http://localhost/drupal), added an Article with a picture, modified a previous one, edited a Basic Page. OK for me.

If the 32-bit tester can use MariaDB/MySQL, so much the better.

CC: (none) => lewyssmith
Whiteboard: has_procedure advisory => has_procedure advisory MGA5-64-OK

Mageia5-32 on Virtualbox 5.0.8 with guest additions and real hardware (AMD free driver)

I installedd MariaDB with Drupal 7.52-1.mag5 without problem.

Then, I created some pages with texts, images, weblinks ...
Everything has been working without issues for 4 hours now.

Same results on Virutalbox and real hardware so it's ok for me.

CC: (none) => youpburden

(In reply to youpburden from comment #6)
> Mageia5-32 on Virtualbox 5.0.8 with guest additions and real hardware (AMD
> free driver)
> 
> I installedd MariaDB with Drupal 7.52-1.mag5 without problem.
> 
> Then, I created some pages with texts, images, weblinks ...
> Everything has been working without issues for 4 hours now.
> 
> Same results on Virutalbox and real hardware so it's ok for me.

It's been a week now and Drupal is still working fine.

MGA5-32-OK

Whiteboard: has_procedure advisory MGA5-64-OK => has_procedure advisory MGA5-64-OK MGA5-32-OK

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0413.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED