Bug 12325 - drupal new security issues fixed in 7.26
Summary: drupal new security issues fixed in 7.26
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/581545/
Whiteboard: advisory MGA3-64-OK MGA3-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-01-16 16:36 CET by David Walser
Modified: 2014-01-31 18:07 CET (History)
4 users (show)

See Also:
Source RPM: drupal-7.24-3.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-01-16 16:36:44 CET 
CVEs have been assigned for security issues fixed in drupal 7.26:
http://openwall.com/lists/oss-security/2014/01/16/3
https://drupal.org/SA-CORE-2014-001

Reproducible: 

Steps to Reproduce:
David Walser 2014-01-16 16:37:03 CET

Whiteboard: (none) => MGA3TOO

David Walser 2014-01-17 17:26:19 CET

Blocks: (none) => 11726

Comment 1 David Walser 2014-01-21 20:45:39 CET 
Debian has issued an advisory for this on January 20:
http://www.debian.org/security/2014/dsa-2847

URL: (none) => http://lwn.net/Vulnerabilities/581545/

Comment 2 David Walser 2014-01-26 22:59:01 CET 
Updated package uploaded for Mageia 3.  Freeze push requested for Cauldron.

Advisory:
========================

Updated drupal packages fix security vulnerabilities:

Christian Mainka and Vladislav Mladenov reported a vulnerability in the OpenID
module that allows a malicious user to log in as other users on the site,
including administrators, and hijack their accounts (CVE-2014-1475).

Matt Vance and Damien Tournoud reported an access bypass vulnerability in the
taxonomy module. Under certain circumstances, unpublished content can appear on
listing pages provided by the taxonomy module and will be visible to users who
should not have permission to see it (CVE-2014-1476).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1475
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1476
https://drupal.org/SA-CORE-2014-001
http://www.debian.org/security/2014/dsa-2847
========================

Updated packages in core/updates_testing:
========================
drupal-7.26-1.mga3
drupal-mysql-7.26-1.mga3
drupal-postgresql-7.26-1.mga3
drupal-sqlite-7.26-1.mga3

from drupal-7.26-1.mga3.src.rpm

CC: (none) => fundawang
Version: Cauldron => 3
Assignee: fundawang => qa-bugs
Whiteboard: MGA3TOO => (none)
Severity: normal => critical

Comment 3 David Walser 2014-01-26 23:16:56 CET 
drupal-7.26-1.mga4 uploaded for Cauldron.

Blocks: 11726 => (none)

Dave Hodgins 2014-01-31 01:21:35 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 4 Dave Hodgins 2014-01-31 02:42:47 CET 
Took me a while, as I'd forgotten you have to go to
http://127.0.0.1/drupal/install.php
to get the initial database creation to work.

Testing complete on Mageia 3 i586 and x86_64.

Someone from the sysadmin team please push 12325.adv to updates.

Keywords: (none) => validated_update
Whiteboard: advisory => advisory MGA3-64-OK MGA3-32-OK
CC: (none) => sysadmin-bugs

Comment 5 Thomas Backlund 2014-01-31 18:07:44 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0031.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.