Upstream has announced version 7.24, fixing several security issues:
Steps to Reproduce:
Removing Mageia 2 from the whiteboard due to EOL.
CVE information for the drupal update is here:
drupal-7.24-1.mga4 uploaded for Cauldron.
Uploaded drupal-7.24-1.mga3 into core/updates_testing.
Updated packages in updates_testing:
Advisory to come.
Funda, according to the upstream advisory, one more php_flag setting should be added to the <IfModule mod_php5.c> section in drupal.conf:
php_flag engine off
(see the "Warning: Fixing the code execution prevention may require server configuration" section).
Does that look right to you? Does that need to be added in the package?
Updated drupal packages fix security vulnerabilities:
Drupal's form API has built-in cross-site request forgery (CSRF) validation,
and also allows any module to perform its own validation on the form. In
certain common cases, form validation functions may execute unsafe operations
Drupal core directly used the mt_rand() pseudorandom number generator for
generating security related strings used in several core modules. It was found
that brute force tools could determine the seeds making these strings
predictable under certain circumstances (CVE-2013-6386).
Image field descriptions are not properly sanitized before they are printed to
HTML, thereby exposing a cross-site scripting vulnerability (CVE-2013-6387).
A cross-site scripting vulnerability was found in the Color module. A malicious
attacker could trick an authenticated administrative user into visiting a page
The Overlay module displays administrative pages as a layer over the current
The Overlay module did not sufficiently validate URLs prior to displaying their
contents, leading to an open redirect vulnerability (CVE-2013-6389).
Updated packages in core/updates_testing:
Mandriva has issued an advisory for this today (November 26):
If I'm not mistaking we disabled .htaccess scanning a long time ago in mandriva, due to performance and security issues, but I do not know if this has been removed in mga3+. Either way this has been fixed in drupal-7.24-1.1.mga3
I was not able to force it to use /var/tmp/drupal which would be preferred in this case. So, access restrictions applies to /var/tmp, *BUT* if the user changes this in the configuration all bets are off if .htaccess scanning is disabled.
drupal tries to mitigate this by adding a .htaccess file in the /var/lib/drupal/files/default/ and /var/tmp directories if not found.
fixed with drupal-7.24-1.1.mga3 and drupal-7.24-2.mga4
Putting files in /var/tmp is disallowed by the mageia build system so tmp is now at /var/lib/drupal/tmp.
Advisory 11729.adv committed to svn
Testing complete on Mageia 3 i586 and x86_64.
Someone from the sysadmin team please push 11729.adv to updates.