Bug 21152

Summary: drupal new security issue CVE-2017-6922
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: lewyssmith, sysadmin-bugs, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: has_procedure MGA5-64-OK advisory
Source RPM: drupal-7.52-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2017-06-26 12:12:56 CEST 
Upstream has issued an advisory on June 21:
https://www.drupal.org/SA-CORE-2017-003

Debian has issued an advisory for this on June 24:
https://www.debian.org/security/2017/dsa-3897

Updated package uploaded for Mageia 5.

Advisory:
========================

Updated drupal packages fix security vulnerability:

Greg Knaddison, Mori Sugimoto and iancawthorne discovered that files uploaded
by anonymous users into a private file system can be accessed by other
anonymous users leading to an access bypass vulnerability (CVE-2017-6922).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6922
https://www.drupal.org/SA-CORE-2017-003
https://www.drupal.org/project/drupal/releases/7.53
https://www.drupal.org/project/drupal/releases/7.54
https://www.drupal.org/project/drupal/releases/7.55
https://www.drupal.org/project/drupal/releases/7.56
https://www.debian.org/security/2017/dsa-3897
========================

Updated packages in core/updates_testing:
========================
drupal-7.56-1.mga5
drupal-mysql-7.56-1.mga5
drupal-postgresql-7.56-1.mga5
drupal-sqlite-7.56-1.mga5

from drupal-7.56-1.mga5.src.rpm
Comment 1 David Walser 2017-06-26 12:13:08 CEST 
Testing procedures:
https://bugs.mageia.org/show_bug.cgi?id=14298#c6

Whiteboard: (none) => has_procedure

Comment 2 Lewis Smith 2017-06-28 11:39:36 CEST 
Testing M5 x64 real h/w

Updated installed & configured Drupal (using Postgresql) to:
 drupal-7.56-1.mga5
 drupal-postgresql-7.56-1.mga5
and via http://localhost/drupal played with it, adding comments to existing things.
More interestingly, I explored 'Reports/Status'' which alerted me to do some database updating. This asked to put the site into 'maintenance mode', then did 6 things, apparently ended OK and worked subsequently.

This update OK.

Whiteboard: has_procedure => has_procedure MGA5-64-OK
CC: (none) => lewyssmith

Lewis Smith 2017-06-28 11:43:55 CEST

Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisory

Comment 3 William Kenney 2017-06-29 21:46:32 CEST 
This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => wilcal.int, sysadmin-bugs

Comment 4 Mageia Robot 2017-06-29 23:58:46 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0198.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED