Bug 11729 - drupal new security issues fixed upstream in 7.24
: drupal new security issues fixed upstream in 7.24
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/575042/
: advisory MGA3-64-OK MGA3-32-OK
: validated_update
  Show dependency treegraph
Reported: 2013-11-22 03:08 CET by David Walser
Modified: 2013-11-30 22:47 CET (History)
5 users (show)

See Also:
Source RPM: drupal-7.24-1.mga3
Status comment:


Description David Walser 2013-11-22 03:08:58 CET
Upstream has announced version 7.24, fixing several security issues:


Steps to Reproduce:
Comment 1 David Walser 2013-11-22 16:06:26 CET
Removing Mageia 2 from the whiteboard due to EOL.

Comment 2 David Walser 2013-11-22 21:21:50 CET
CVE information for the drupal update is here:
Comment 3 David Walser 2013-11-23 23:14:15 CET
drupal-7.24-1.mga4 uploaded for Cauldron.
Comment 4 Funda Wang 2013-11-24 16:53:13 CET
Uploaded drupal-7.24-1.mga3 into core/updates_testing.
Comment 5 David Walser 2013-11-24 16:57:35 CET
Thanks Funda!

Updated packages in updates_testing:

from drupal-7.24-1.mga3.src.rpm

Advisory to come.
Comment 6 David Walser 2013-11-24 17:05:38 CET
Funda, according to the upstream advisory, one more php_flag setting should be added to the <IfModule mod_php5.c> section in drupal.conf:
    php_flag engine off

(see the "Warning: Fixing the code execution prevention may require server configuration" section).

Does that look right to you?  Does that need to be added in the package?
Comment 7 David Walser 2013-11-24 17:10:45 CET

Updated drupal packages fix security vulnerabilities:

Drupal's form API has built-in cross-site request forgery (CSRF) validation,
and also allows any module to perform its own validation on the form. In
certain common cases, form validation functions may execute unsafe operations

Drupal core directly used the mt_rand() pseudorandom number generator for
generating security related strings used in several core modules. It was found
that brute force tools could determine the seeds making these strings
predictable under certain circumstances (CVE-2013-6386).

Image field descriptions are not properly sanitized before they are printed to
HTML, thereby exposing a cross-site scripting vulnerability (CVE-2013-6387).

A cross-site scripting vulnerability was found in the Color module. A malicious
attacker could trick an authenticated administrative user into visiting a page
containing specific JavaScript that could lead to a reflected cross-site
scripting attack via JavaScript execution in CSS (CVE-2013-6388).

The Overlay module displays administrative pages as a layer over the current
page (using JavaScript), rather than replacing the page in the browser window.
The Overlay module did not sufficiently validate URLs prior to displaying their
contents, leading to an open redirect vulnerability (CVE-2013-6389).


Updated packages in core/updates_testing:

from drupal-7.24-1.mga3.src.rpm
Comment 8 David Walser 2013-11-26 19:49:35 CET
Mandriva has issued an advisory for this today (November 26):
Comment 9 Oden Eriksson 2013-11-27 11:51:43 CET
If I'm not mistaking we disabled .htaccess scanning a long time ago in mandriva, due to performance and security issues, but I do not know if this has been removed in mga3+. Either way this has been fixed in drupal-7.24-1.1.mga3

I was not able to force it to use /var/tmp/drupal which would be preferred in this case. So, access restrictions applies to /var/tmp, *BUT* if the user changes this in the configuration all bets are off if .htaccess scanning is disabled.

drupal tries to mitigate this by adding a .htaccess file in the /var/lib/drupal/files/default/ and /var/tmp directories if not found.
Comment 10 Oden Eriksson 2013-11-27 15:29:23 CET
fixed with drupal-7.24-1.1.mga3 and drupal-7.24-2.mga4

Putting files in /var/tmp is disallowed by the mageia build system so tmp is now at /var/lib/drupal/tmp.
Comment 11 Dave Hodgins 2013-11-30 14:00:03 CET
Advisory 11729.adv committed to svn
Comment 12 Dave Hodgins 2013-11-30 15:21:47 CET
Testing complete on Mageia 3 i586 and x86_64.

Someone from the sysadmin team please push 11729.adv to updates.
Comment 13 Thomas Backlund 2013-11-30 22:47:16 CET
Update pushed:

Note You need to log in before you can comment on or make changes to this bug.