Upstream has announced version 7.24, fixing several security issues: http://freecode.com/projects/drupal/releases/359420 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO, MGA2TOO
Blocks: (none) => 11726
Removing Mageia 2 from the whiteboard due to EOL. http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/
Whiteboard: MGA3TOO, MGA2TOO => MGA3TOO
CVE information for the drupal update is here: http://openwall.com/lists/oss-security/2013/11/22/4
drupal-7.24-1.mga4 uploaded for Cauldron.
Version: Cauldron => 3Whiteboard: MGA3TOO => (none)
Blocks: 11726 => (none)
Uploaded drupal-7.24-1.mga3 into core/updates_testing.
Source RPM: drupal-7.22-2.mga4.src.rpm => drupal-7.24-1.mga3
Thanks Funda! Updated packages in updates_testing: drupal-7.24-1.mga3 drupal-mysql-7.24-1.mga3 drupal-postgresql-7.24-1.mga3 drupal-sqlite-7.24-1.mga3 from drupal-7.24-1.mga3.src.rpm Advisory to come.
CC: (none) => fundawangAssignee: fundawang => qa-bugs
Funda, according to the upstream advisory, one more php_flag setting should be added to the <IfModule mod_php5.c> section in drupal.conf: php_flag engine off (see the "Warning: Fixing the code execution prevention may require server configuration" section). https://drupal.org/SA-CORE-2013-003 Does that look right to you? Does that need to be added in the package?
Advisory: ======================== Updated drupal packages fix security vulnerabilities: Drupal's form API has built-in cross-site request forgery (CSRF) validation, and also allows any module to perform its own validation on the form. In certain common cases, form validation functions may execute unsafe operations (CVE-2013-6385). Drupal core directly used the mt_rand() pseudorandom number generator for generating security related strings used in several core modules. It was found that brute force tools could determine the seeds making these strings predictable under certain circumstances (CVE-2013-6386). Image field descriptions are not properly sanitized before they are printed to HTML, thereby exposing a cross-site scripting vulnerability (CVE-2013-6387). A cross-site scripting vulnerability was found in the Color module. A malicious attacker could trick an authenticated administrative user into visiting a page containing specific JavaScript that could lead to a reflected cross-site scripting attack via JavaScript execution in CSS (CVE-2013-6388). The Overlay module displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module did not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability (CVE-2013-6389). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6385 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6386 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6387 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6388 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6389 https://drupal.org/SA-CORE-2013-003 http://openwall.com/lists/oss-security/2013/11/22/4 ======================== Updated packages in core/updates_testing: ======================== drupal-7.24-1.mga3 drupal-mysql-7.24-1.mga3 drupal-postgresql-7.24-1.mga3 drupal-sqlite-7.24-1.mga3 from drupal-7.24-1.mga3.src.rpm
Mandriva has issued an advisory for this today (November 26): http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:287/
URL: (none) => http://lwn.net/Vulnerabilities/575042/
If I'm not mistaking we disabled .htaccess scanning a long time ago in mandriva, due to performance and security issues, but I do not know if this has been removed in mga3+. Either way this has been fixed in drupal-7.24-1.1.mga3 I was not able to force it to use /var/tmp/drupal which would be preferred in this case. So, access restrictions applies to /var/tmp, *BUT* if the user changes this in the configuration all bets are off if .htaccess scanning is disabled. drupal tries to mitigate this by adding a .htaccess file in the /var/lib/drupal/files/default/ and /var/tmp directories if not found.
CC: (none) => oe
fixed with drupal-7.24-1.1.mga3 and drupal-7.24-2.mga4 Putting files in /var/tmp is disallowed by the mageia build system so tmp is now at /var/lib/drupal/tmp.
Advisory 11729.adv committed to svn
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
Testing complete on Mageia 3 i586 and x86_64. Someone from the sysadmin team please push 11729.adv to updates.
Keywords: (none) => validated_updateWhiteboard: advisory => advisory MGA3-64-OK MGA3-32-OKCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0359.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED