Bug 8733

Summary: [Update request] drupal 7.19 fixing multiple vulnerabilities
Product: Mageia Reporter: Funda Wang <fundawang>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://drupal.org/SA-CORE-2013-001
Whiteboard: has_procedure mga2-64-ok MGA2-32-OK
Source RPM: drupal-7.19-1.mga2 CVE:
Status comment:

Description Funda Wang 2013-01-18 13:23:31 CET 
Multiple vulnerabilities were fixed in the supported Drupal core versions 7(DRUPAL-SA-CORE-2013-001).

* A reflected cross-site scripting vulnerability (XSS) was identified in certain Drupal JavaScript functions that pass unexpected user input into jQuery causing it to insert HTML into the page when the intended behavior is to select DOM elements. Multiple core and contributed modules are affected by this issue.

* A vulnerability was identified that exposes the title or, in some cases, the content of nodes that the user should not have access to.

* Drupal core provides the ability to have private files, including images. A vulnerability was identified in which derivative images (which Drupal automatically creates from these images based on "image styles" and which may differ, for example, in size or saturation) did not always receive the same protection. Under some circumstances, this would allow users to access image derivatives for images they should not be able to view.

The drupal package was updated to latest version 7.19 to fix above vulnerabilities.
Funda Wang 2013-01-18 13:23:45 CET

URL: (none) => http://drupal.org/SA-CORE-2013-001

Comment 1 David Walser 2013-01-29 01:06:44 CET 
Fedora has issued advisories for this:
http://lwn.net/Vulnerabilities/534652/
Comment 2 claire robinson 2013-01-31 12:30:11 CET 
SRPM: drupal-7.19-1.mga2.src.rpm
--------------------------------
drupal
drupal-mysql
drupal-postgresql
drupal-sqlite
Comment 3 claire robinson 2013-01-31 12:31:45 CET 
For procedure see bug 8442

Whiteboard: (none) => has_procedure

Comment 4 claire robinson 2013-01-31 12:33:14 CET 
Testing mga2 64
Comment 5 claire robinson 2013-01-31 13:24:08 CET 
Testing complete drupal mga2 64 with mysql, postgresql & sqlite

Whiteboard: has_procedure => has_procedure mga2-64-ok

Comment 6 Dave Hodgins 2013-02-02 04:02:34 CET 
Testing i586 shortly.

CC: (none) => davidwhodgins

Comment 7 Dave Hodgins 2013-02-02 04:40:02 CET 
Testing complete on Mageia 2 i586.

Could someone from the sysadmin team push the srpm
drupal-7.19-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Multiple vulnerabilities were fixed in the supported Drupal core versions
7(DRUPAL-SA-CORE-2013-001).

* A reflected cross-site scripting vulnerability (XSS) was identified in
certain Drupal JavaScript functions that pass unexpected user input into jQuery
causing it to insert HTML into the page when the intended behavior is to select
DOM elements. Multiple core and contributed modules are affected by this issue.

* A vulnerability was identified that exposes the title or, in some cases, the
content of nodes that the user should not have access to.

* Drupal core provides the ability to have private files, including images. A
vulnerability was identified in which derivative images (which Drupal
automatically creates from these images based on "image styles" and which may
differ, for example, in size or saturation) did not always receive the same
protection. Under some circumstances, this would allow users to access image
derivatives for images they should not be able to view.

The drupal package was updated to latest version 7.19 to fix above
vulnerabilities

https://bugs.mageia.org/show_bug.cgi?id=8733

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok MGA2-32-OK

Comment 8 Thomas Backlund 2013-02-06 22:59:06 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0027

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED