Upstream has issued an advisory on August 6: https://www.drupal.org/SA-CORE-2014-004 A CVE has been requested: http://openwall.com/lists/oss-security/2014/08/07/1 No response yet. Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. Waiting on the CVE assignment for the advisory. Updated packages in core/updates_testing: ======================== drupal-7.31-1.mga3 drupal-mysql-7.31-1.mga3 drupal-postgresql-7.31-1.mga3 drupal-sqlite-7.31-1.mga3 drupal-7.31-1.mga4 drupal-mysql-7.31-1.mga4 drupal-postgresql-7.31-1.mga4 drupal-sqlite-7.31-1.mga4 from SRPMS: drupal-7.31-1.mga3.src.rpm drupal-7.31-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=13271#c16
Whiteboard: (none) => MGA3TOO has_procedure
Testing complete Mageia 3 32bit.
CC: (none) => remiWhiteboard: MGA3TOO has_procedure => MGA3TOO MGA3-32-OK has_procedure
I also tested installing Drupal in French btw, following the instructions given in the language choice page to retrieve translations.
Testing complete mga4 64 Ready to validate once advisory is uploaded.
Whiteboard: MGA3TOO MGA3-32-OK has_procedure => MGA3TOO MGA3-32-OK mga4-64-ok has_procedure
As Claire said, this one can be validated too. Just like wordpress, no response to the CVE request yet, so this is all I have. Advisory: ======================== Updated drupal packages fix security vulnerability: A denial of service issue exists in Drupal before 7.31, due to XML entity expansion in a publicly accessible XML-RPC endpoint. The drupal package has been updated to version 7.31 to fix this issue and other bugs. See the upstream advisory and release notes for more details. References: https://www.drupal.org/SA-CORE-2014-004 https://www.drupal.org/drupal-7.30 https://www.drupal.org/drupal-7.30-release-notes https://www.drupal.org/drupal-7.31 https://www.drupal.org/drupal-7.31-release-notes
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Debian has issued an advisory for this on August 9: https://www.debian.org/security/2014/dsa-2999
URL: (none) => http://lwn.net/Vulnerabilities/608409/
Advisory uploaded.
Whiteboard: MGA3TOO MGA3-32-OK mga4-64-ok has_procedure => MGA3TOO MGA3-32-OK mga4-64-ok has_procedure advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0329.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
MITRE finally assigned some CVEs (CVE-2014-526[567]): http://openwall.com/lists/oss-security/2014/08/16/4 LWN reference: http://lwn.net/Vulnerabilities/609181/