Drupal 7.27 was announced on April 16, fixing security issues: https://drupal.org/drupal-7.27 https://drupal.org/drupal-7.27-release-notes The upstream security advisory is here: https://drupal.org/SA-CORE-2014-002 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Debian has issued an advisory for this on April 25: https://www.debian.org/security/2014/dsa-2913
URL: (none) => http://lwn.net/Vulnerabilities/596581/
Drupal 7.28 bugfix release is out: http://freecode.com/projects/drupal/releases/363572
in progress...
CC: (none) => tmb
Cauldron, mga4 and mga packages built. rpms to test... mga4: SRPM: drupal-7.28-1.mga4.src.rpm i586: drupal-7.28-1.mga4.noarch.rpm drupal-mysql-7.28-1.mga4.noarch.rpm drupal-postgresql-7.28-1.mga4.noarch.rpm drupal-sqlite-7.28-1.mga4.noarch.rpm x86_64: drupal-7.28-1.mga4.noarch.rpm drupal-mysql-7.28-1.mga4.noarch.rpm drupal-postgresql-7.28-1.mga4.noarch.rpm drupal-sqlite-7.28-1.mga4.noarch.rpm mga3: SRPM: drupal-7.28-1.mga3.src.rpm i586: drupal-7.28-1.mga3.noarch.rpm drupal-mysql-7.28-1.mga3.noarch.rpm drupal-postgresql-7.28-1.mga3.noarch.rpm drupal-sqlite-7.28-1.mga3.noarch.rpm x86_64: drupal-7.28-1.mga3.noarch.rpm drupal-mysql-7.28-1.mga3.noarch.rpm drupal-postgresql-7.28-1.mga3.noarch.rpm drupal-sqlite-7.28-1.mga3.noarch.rpm
Hardware: i586 => AllVersion: Cauldron => 4Assignee: fundawang => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Thanks Thomas! Advisory: ======================== Updated drupal packages fix security vulnerability: An information disclosure vulnerability was discovered in Drupal before 7.27. When pages are cached for anonymous users, form state may leak between anonymous users. Sensitive or private information recorded for one anonymous user could thus be disclosed to other users interacting with the same form at the same time (CVE-2014-2983). Drupal has been updated to version 7.28, fixing this and other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2983 https://drupal.org/SA-CORE-2014-002 https://drupal.org/drupal-7.27 https://drupal.org/drupal-7.27-release-notes https://drupal.org/drupal-7.28 http://drupal.org/drupal-7.28-release-notes https://www.debian.org/security/2014/dsa-2913
Procedure in bug 8442. Currently testing mga3 32
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Testing complete mga3 32
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-32-ok
Testing mga3 64 next.
Testing complete mga3 64
Whiteboard: MGA3TOO has_procedure mga3-32-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok
Testing mga4 32 Didn't notice this on upgraded installations but when testing with a mysql database I installed directly with the update candidate. It was all OK until I logged out. It at first showed connection reset, then after a refresh and attempted logout again it showed.. Fatal error: Cannot call overloaded function for non-object in /usr/share/drupal/includes/database/query.inc on line 331 /var/log/httpd/error_log shows this.. [Mon May 19 17:21:22.369728 2014] [core:notice] [pid 8625] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND' [Mon May 19 17:23:35.522872 2014] [core:notice] [pid 8625] AH00052: child pid 8630 exit signal Segmentation fault (11) [Mon May 19 17:23:35.522972 2014] [core:notice] [pid 8625] AH00052: child pid 8687 exit signal Segmentation fault (11) [Mon May 19 17:23:35.523007 2014] [core:notice] [pid 8625] AH00052: child pid 8689 exit signal Segmentation fault (11) [Mon May 19 17:23:36.524093 2014] [core:notice] [pid 8625] AH00052: child pid 8632 exit signal Segmentation fault (11) [Mon May 19 17:23:36.524254 2014] [core:notice] [pid 8625] AH00052: child pid 8730 exit signal Segmentation fault (11) [Mon May 19 17:23:39.526479 2014] [core:notice] [pid 8625] AH00052: child pid 8628 exit signal Segmentation fault (11) zend_mm_heap corrupted [Mon May 19 17:23:50.866243 2014] [:error] [pid 8733] [client 127.0.0.1:38614] PHP Fatal error: Cannot call overloaded function for non-object in /usr/share/drupal/includes/database/query.inc on line 331, referer: http://localhost/drupal/
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok => MGA3TOO has_procedure feedback mga3-32-ok mga3-64-ok
Some Googling shows that this zend_mm_heap corrupted thing with Drupal is a pretty common problem and has been for years apparently. There are a zillion different suggestions out there, like disabling opcache or apc and increasing the output_buffering value in php.ini. It certainly hasn't been hard to find PHP crasher bugs on Mageia 4 :o( As for the query.inc thing, that sounds like a Drupal bug. I suppose we could see if they fix it in 7.29?
Assigning back to you for now David. Please reassign when you're ready. Thanks.
CC: (none) => qa-bugsAssignee: qa-bugs => luigiwalserWhiteboard: MGA3TOO has_procedure feedback mga3-32-ok mga3-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok
Upstream has issued an advisory on July 16: https://www.drupal.org/SA-CORE-2014-003 The issues are fixed in 7.29. Debian has issued an advisory for this on July 20: https://www.debian.org/security/2014/dsa-2983 LWN reference: http://lwn.net/Vulnerabilities/606068/ CVE request: http://openwall.com/lists/oss-security/2014/07/21/5 Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated drupal packages fix security vulnerability: An information disclosure vulnerability was discovered in Drupal before 7.27. When pages are cached for anonymous users, form state may leak between anonymous users. Sensitive or private information recorded for one anonymous user could thus be disclosed to other users interacting with the same form at the same time (CVE-2014-2983). Multiple security issues in Drupal before 7.29, including a denial of service issue, an access bypass issue in the File module, and multiple cross-site scripting issues (SA-CORE-2014-003). Drupal has been updated to version 7.29, fixing this and other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2983 https://drupal.org/SA-CORE-2014-002 https://drupal.org/SA-CORE-2014-003 https://drupal.org/drupal-7.27 https://drupal.org/drupal-7.27-release-notes https://drupal.org/drupal-7.28 http://drupal.org/drupal-7.28-release-notes https://drupal.org/drupal-7.29 http://drupal.org/drupal-7.29-release-notes https://www.debian.org/security/2014/dsa-2913 https://www.debian.org/security/2014/dsa-2983 ======================== Updated packages in core/updates_testing: ======================== drupal-7.29-1.mga3 drupal-mysql-7.29-1.mga3 drupal-postgresql-7.29-1.mga3 drupal-sqlite-7.29-1.mga3 drupal-7.29-1.mga4 drupal-mysql-7.29-1.mga4 drupal-postgresql-7.29-1.mga4 drupal-sqlite-7.29-1.mga4 from SRPMS: drupal-7.29-1.mga3.src.rpm drupal-7.29-1.mga4.src.rpm
CC: qa-bugs => (none)Assignee: luigiwalser => qa-bugsWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok => MGA3TOO has_procedureSeverity: major => critical
MITRE says CVEs were already assigned to the SA-CORE-2014-003 issues: http://openwall.com/lists/oss-security/2014/07/23/12 Updated advisory. Advisory: ======================== Updated drupal packages fix security vulnerability: An information disclosure vulnerability was discovered in Drupal before 7.27. When pages are cached for anonymous users, form state may leak between anonymous users. Sensitive or private information recorded for one anonymous user could thus be disclosed to other users interacting with the same form at the same time (CVE-2014-2983). Multiple security issues in Drupal before 7.29, including a denial of service issue, an access bypass issue in the File module, and multiple cross-site scripting issues (CVE-2014-5019, CVE-2014-5020, CVE-2014-5021, CVE-2014-5022). Drupal has been updated to version 7.29, fixing this and other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2983 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5019 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5020 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5021 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5022 https://drupal.org/SA-CORE-2014-002 https://drupal.org/SA-CORE-2014-003 https://drupal.org/drupal-7.27 https://drupal.org/drupal-7.27-release-notes https://drupal.org/drupal-7.28 http://drupal.org/drupal-7.28-release-notes https://drupal.org/drupal-7.29 http://drupal.org/drupal-7.29-release-notes https://www.debian.org/security/2014/dsa-2913 https://www.debian.org/security/2014/dsa-2983
Summary: drupal new security issue CVE-2014-2983 => drupal new security issues CVE-2014-2983, CVE-2014-5019, and CVE-2014-502[0-2]
Just to say that I am wrestling with installing Drupal MGA4 64-bit with a view to trying the update. Have got it basically installed, but not yet working. To keep this update 'alive'.
CC: (none) => lewyssmith
Testing complete mga4 64 As with most webapps it needs a database. drupal can use sqlite, mysql (mariadb) or postgresql. Once the package is installed and a database created, further configuration takes place at http://localhost/drupal Installing the current package then updating to the testing version and ensuring it still works. mysql ===== # urpmi drupal In order to satisfy the 'drupal-database-storage[== 7.26-1.mga4]' dependency, one of the following packages is needed: 1- drupal-mysql-7.26-1.mga4.noarch: mysql storage for drupal (to install) 2- drupal-postgresql-7.26-1.mga4.noarch: postgresql storage for drupal (to install) 3- drupal-sqlite-7.26-1.mga4.noarch: sqlite storage for drupal (to install) What is your choice? (1-3) 1 Use phpmyadmin to create a mysql user/password and database, or use command line as below. I generally use 'drupal' for each of these as it's only temporary and not open to t'internet. # mysql -p Enter password: <<-- this is the mysql root passwd, not system root passwd Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 95 Server version: 5.5.38-MariaDB Mageia MariaDB Server Copyright (c) 2000, 2014, Oracle, Monty Program Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> create user drupal@localhost identified by 'drupal'; Query OK, 0 rows affected (0.01 sec) MariaDB [(none)]> create database drupal; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> grant all on drupal.* to drupal@localhost; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> exit Bye Browse to http://localhost/drupal and begin the configuration. Choose mysql as the database type and enter the details there. When configuration is completed add some site content and upload an image, update it and check it again. I usually untick the option to send site emails. Remove drupal and clear the database and configuration. # urpme drupal # rm -rf /etc/drupal # mysql -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 176 Server version: 5.5.38-MariaDB Mageia MariaDB Server Copyright (c) 2000, 2014, Oracle, Monty Program Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> drop user drupal@localhost; Query OK, 0 rows affected (0.01 sec) MariaDB [(none)]> drop database drupal; Query OK, 73 rows affected (0.36 sec) MariaDB [(none)]> exit Bye postgresql ========== # urpmi drupal In order to satisfy the 'drupal-database-storage[== 7.29-1.mga4]' dependency, one of the following packages is needed: 1- drupal-mysql-7.29-1.mga4.noarch: mysql storage for drupal (to install) 2- drupal-postgresql-7.29-1.mga4.noarch: postgresql storage for drupal (to install) 3- drupal-sqlite-7.29-1.mga4.noarch: sqlite storage for drupal (to install) What is your choice? (1-3) 2 I installed the update candidate directly this time. It installs lib64pq9.3_5 which is a postgresql lib. postgresql is version dependent so install the matching postgresql9.3-server package and start the service. # urpmi postgresql9.3-server # service postgresql start Create a database in postgresql weirdness. You first change to user postgres. # su - postgres $ createuser --pwprompt --encrypted --no-adduser drupal Enter password for new role: Enter it again: $ createdb --encoding=UNICODE --template=template0 --owner=drupal drupal $ exit logout # Then browse to http://localhost/drupal and complete the configuration, this time selecting postgresql database type. Add an article with an image. Remove drupal and clean up again.. # urpme drupal # rm -rf /etc/drupal # su - postgres $ dropdb drupal $ dropuser drupal exit # urpme postgresql9.3-server sqlite ====== # urpmi drupal In order to satisfy the 'drupal-database-storage[== 7.29-1.mga4]' dependency, one of the following packages is needed: 1- drupal-mysql-7.29-1.mga4.noarch: mysql storage for drupal (to install) 2- drupal-postgresql-7.29-1.mga4.noarch: postgresql storage for drupal (to install) 3- drupal-sqlite-7.29-1.mga4.noarch: sqlite storage for drupal (to install) What is your choice? (1-3) 3 Then browse to http://localhost/drupal and choose sqlite database For some reason this sometimes fails, causing apache segfaults. Likely php-suhosin again. Restarting (rather than reloading) apache cures it. Tested with current and updated to testing again. Remove drupal and clean up.. # urpme drupal # rm -rf /var/lib/drupal/ # rm -rf /etc/drupal
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-64-ok
Testing complete on Mageia 3 32bit following the detailed procedure in comment 16. Thanks for this Claire :-)
CC: (none) => remiWhiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-64-ok
Advisory uploaded.
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-64-ok advisory
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-64-ok advisory => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok advisory
Testing complete mga4 32 Validating. Advisory already uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok advisory => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok advisoryCC: (none) => sysadmin-bugs
http://advisories.mageia.org/MGASA-2014-0322.html
CC: (none) => pterjan
.
Status: NEW => RESOLVEDResolution: (none) => FIXED
LWN reference for the CVEs fixed in SA-CORE-2014-003 / Drupal 7.29: http://lwn.net/Vulnerabilities/608201/