Bug 11729 - drupal new security issues fixed upstream in 7.24
Summary: drupal new security issues fixed upstream in 7.24
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/575042/
Whiteboard: advisory MGA3-64-OK MGA3-32-OK
Keywords: validated_update
Depends on:
Reported: 2013-11-22 03:08 CET by David Walser
Modified: 2013-11-30 22:47 CET (History)
5 users (show)

See Also:
Source RPM: drupal-7.24-1.mga3
Status comment:


Description David Walser 2013-11-22 03:08:58 CET
Upstream has announced version 7.24, fixing several security issues:


Steps to Reproduce:
David Walser 2013-11-22 03:09:21 CET

Whiteboard: (none) => MGA3TOO, MGA2TOO

David Walser 2013-11-22 03:09:48 CET

Blocks: (none) => 11726

Comment 1 David Walser 2013-11-22 16:06:26 CET
Removing Mageia 2 from the whiteboard due to EOL.


Whiteboard: MGA3TOO, MGA2TOO => MGA3TOO

Comment 2 David Walser 2013-11-22 21:21:50 CET
CVE information for the drupal update is here:
Comment 3 David Walser 2013-11-23 23:14:15 CET
drupal-7.24-1.mga4 uploaded for Cauldron.

Version: Cauldron => 3
Whiteboard: MGA3TOO => (none)

Funda Wang 2013-11-24 16:48:38 CET

Blocks: 11726 => (none)

Comment 4 Funda Wang 2013-11-24 16:53:13 CET
Uploaded drupal-7.24-1.mga3 into core/updates_testing.

Source RPM: drupal-7.22-2.mga4.src.rpm => drupal-7.24-1.mga3

Comment 5 David Walser 2013-11-24 16:57:35 CET
Thanks Funda!

Updated packages in updates_testing:

from drupal-7.24-1.mga3.src.rpm

Advisory to come.

CC: (none) => fundawang
Assignee: fundawang => qa-bugs

Comment 6 David Walser 2013-11-24 17:05:38 CET
Funda, according to the upstream advisory, one more php_flag setting should be added to the <IfModule mod_php5.c> section in drupal.conf:
    php_flag engine off

(see the "Warning: Fixing the code execution prevention may require server configuration" section).

Does that look right to you?  Does that need to be added in the package?
Comment 7 David Walser 2013-11-24 17:10:45 CET

Updated drupal packages fix security vulnerabilities:

Drupal's form API has built-in cross-site request forgery (CSRF) validation,
and also allows any module to perform its own validation on the form. In
certain common cases, form validation functions may execute unsafe operations

Drupal core directly used the mt_rand() pseudorandom number generator for
generating security related strings used in several core modules. It was found
that brute force tools could determine the seeds making these strings
predictable under certain circumstances (CVE-2013-6386).

Image field descriptions are not properly sanitized before they are printed to
HTML, thereby exposing a cross-site scripting vulnerability (CVE-2013-6387).

A cross-site scripting vulnerability was found in the Color module. A malicious
attacker could trick an authenticated administrative user into visiting a page
containing specific JavaScript that could lead to a reflected cross-site
scripting attack via JavaScript execution in CSS (CVE-2013-6388).

The Overlay module displays administrative pages as a layer over the current
page (using JavaScript), rather than replacing the page in the browser window.
The Overlay module did not sufficiently validate URLs prior to displaying their
contents, leading to an open redirect vulnerability (CVE-2013-6389).


Updated packages in core/updates_testing:

from drupal-7.24-1.mga3.src.rpm
Comment 8 David Walser 2013-11-26 19:49:35 CET
Mandriva has issued an advisory for this today (November 26):

URL: (none) => http://lwn.net/Vulnerabilities/575042/

Comment 9 Oden Eriksson 2013-11-27 11:51:43 CET
If I'm not mistaking we disabled .htaccess scanning a long time ago in mandriva, due to performance and security issues, but I do not know if this has been removed in mga3+. Either way this has been fixed in drupal-7.24-1.1.mga3

I was not able to force it to use /var/tmp/drupal which would be preferred in this case. So, access restrictions applies to /var/tmp, *BUT* if the user changes this in the configuration all bets are off if .htaccess scanning is disabled.

drupal tries to mitigate this by adding a .htaccess file in the /var/lib/drupal/files/default/ and /var/tmp directories if not found.

CC: (none) => oe

Comment 10 Oden Eriksson 2013-11-27 15:29:23 CET
fixed with drupal-7.24-1.1.mga3 and drupal-7.24-2.mga4

Putting files in /var/tmp is disallowed by the mageia build system so tmp is now at /var/lib/drupal/tmp.
Comment 11 Dave Hodgins 2013-11-30 14:00:03 CET
Advisory 11729.adv committed to svn

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 12 Dave Hodgins 2013-11-30 15:21:47 CET
Testing complete on Mageia 3 i586 and x86_64.

Someone from the sysadmin team please push 11729.adv to updates.

Keywords: (none) => validated_update
Whiteboard: advisory => advisory MGA3-64-OK MGA3-32-OK
CC: (none) => sysadmin-bugs

Comment 13 Thomas Backlund 2013-11-30 22:47:16 CET
Update pushed:

CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.