An advisory has been issued today (October 15): http://www.sektioneins.com/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html Mageia 3 and Mageia 4 are also affected. The update is checked into SVN and a freeze push has been requested for Cauldron. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory to come later. For now see the reference in Comment 0. drupal-7.32-1.mga3.src.rpm drupal-7.32-1.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Debian has issued an advisory for this on October 15: http://www.debian.org/security/2014/dsa-3051 This is highly critical and should be considered a priority update. Advisory: ======================== Updated drupal packages fix security vulnerability: An SQL Injection issue exists in Drupal before 7.32 due to the way the Drupal core handles prepared statements. A malicious user can inject arbitrary SQL queries, and thereby completely control the Drupal site. This vulnerability can be exploited by remote attackers without any kind of authentication required (CVE-2014-3704). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704 https://www.drupal.org/SA-CORE-2014-005 https://www.drupal.org/drupal-7.31 https://www.drupal.org/drupal-7.31-release-notes http://www.sektioneins.com/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html http://www.debian.org/security/2014/dsa-3051 ======================== Updated packages in core/updates_testing: ======================== drupal-7.32-1.mga3 drupal-mysql-7.32-1.mga3 drupal-postgresql-7.32-1.mga3 drupal-sqlite-7.32-1.mga3 drupal-7.32-1.mga4 drupal-mysql-7.32-1.mga4 drupal-postgresql-7.32-1.mga4 drupal-sqlite-7.32-1.mga4 from SRPMS: drupal-7.32-1.mga3.src.rpm drupal-7.32-1.mga4.src.rpm
URL: (none) => http://lwn.net/Vulnerabilities/616445/
Correcting the 7.31/7.32 links in the advisory. Advisory: ======================== Updated drupal packages fix security vulnerability: An SQL Injection issue exists in Drupal before 7.32 due to the way the Drupal core handles prepared statements. A malicious user can inject arbitrary SQL queries, and thereby completely control the Drupal site. This vulnerability can be exploited by remote attackers without any kind of authentication required (CVE-2014-3704). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704 https://www.drupal.org/SA-CORE-2014-005 https://www.drupal.org/drupal-7.32 https://www.drupal.org/drupal-7.32-release-notes http://www.sektioneins.com/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html http://www.debian.org/security/2014/dsa-3051 ======================== Updated packages in core/updates_testing: ======================== drupal-7.32-1.mga3 drupal-mysql-7.32-1.mga3 drupal-postgresql-7.32-1.mga3 drupal-sqlite-7.32-1.mga3 drupal-7.32-1.mga4 drupal-mysql-7.32-1.mga4 drupal-postgresql-7.32-1.mga4 drupal-sqlite-7.32-1.mga4 from SRPMS: drupal-7.32-1.mga3.src.rpm drupal-7.32-1.mga4.src.rpm
Testing on Mageia4-64 real hardware. As I didn't know if there was anything specific to test, I installed updated-testing packages as listed and then installed drupal following installation guide found here : https://www.drupal.org/documentation/install. With MCC : - drupal-7.32-1.mga4.noarch - drupal-mysql-7.32-1.mga4.noarch - drupal-postgresql-7.32-1.mga4.noarch - drupal-sqlite-7.32-1.mga4.noarch - php-pdo_mysql-5.5.16-1.mga4.x86_64 - php-pdo_pgsql-5.5.16-1.mga4.x86_64 - php-pdo_sqlite-5.5.16-1.mga4.x86_64 - php-uploadprogress-1.0.3.1-7.mga4.x86_64 Created a database in command line : # mysqladmin -u root -p create drupzitoun # mysql -u root -p > GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES ON drupzitoun.* TO 'root'@'localhost' IDENTIFIED BY 'password'; > exit Set up drupal # cd /usr/share/drupal # cp sites/default/default.settings.php sites/default/settings.php # chmod a+w sites/default/settings.php chmod a+w sites/default In firefox web browser : http://http://localhost/drupal/install.php Followed installation steps : Drupal Installation tasks Choose profile(done) Choose language(done) Verify requirements(done) Set up database(done) Install profile All necessary changes to sites/default and sites/default/settings.php have been made, so you should remove write permissions to them now in order to avoid security risks. If you are unsure how to do so, consult the online handbook. # chmod 644 sites/default/settings.php # cd sites # chmod 755 default Drupal installed without any problem. Then, connected to http://drupal which opened a start page where I created articles, menus, links, installed modules, logged out, logged back in, edit, deleted articles ... Everything went well. If there is any other step to follow, I'll be happy to do it for further testing.
CC: (none) => olchal
That's sufficient, thanks Olivier.
See comment 4 and https://bugs.mageia.org/show_bug.cgi?id=13271#c16 for testing procedures.
CC: (none) => remiWhiteboard: MGA3TOO => MGA3TOO has_procedure
I am trying this also M4 x64 using PostgreSQL, but after installing & configuring Drupal from normal repos (thanks to Olivier for his excellent instructions in Comment 4), I am having problems with Updates Testing which (among a raft of updates) does not show Drupal at all. Have tried twice at both sides of a night, # urpmi.update "Core Updates Testing" yields the 'aria2' error. Will try again, tonight.
CC: (none) => lewyssmith
M4 x64 using PostgreSQL. Eventually managed to update Drupal to: drupal-postgresql-7.32-1.mga4 drupal-7.32-1.mga4 Re-launched it, played a little bit (being clueless about it), it worked OK as before the update. Edited a page, changed a picture. *Much* less than Comment 4.
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-64-OK
Testing on Mageia4-32, real HW First installing normal packages : - drupal-7.31-1.mga4.noarch - drupal-mysql-7.31-1.mga4.noarch - php-pdo_mysql-5.5.16-1.mga4.i586 - php-uploadprogress-1.0.3.1-7.mga4.i586 Set up drupal as before using mysql(comment 4) Everything OK (installation, basic usage) Updating to drupal-testing : - drupal-7.32-1.mga4.noarch - drupal-mysql-7.32-1.mga4.noarch Connected to http://localhost/drupal Found my first project, basic usage ok.
Whiteboard: MGA3TOO has_procedure MGA4-64-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32 OK
Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32 OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK
Advisory uploaded, ready to be pushed once it's been tested on Mageia 3.
Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK advisory
I can test Mageia 3.
CC: (none) => ozkyster
I try to test it but i get several errors in terminal mysql: I cannot set mysql root password even try to edit file /etc/my.cnf. mysqladmin -u root password '*********': mysqladmin: connect to server at 'localhost' failed error: 'Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)' Check that mysqld is running and that the socket: '/var/lib/mysql/mysql.sock' exists! Is this because of virtualbox ?.
Did you start mysqld with: systemctl start mysqld ? If you're stuck with mariadb you can have a look at some instructions I wrote here, that might help you change the password if you forgot it: https://bugs.mageia.org/show_bug.cgi?id=14208#c6
Mageia 3 testing done it no any problems found i validated update. Sysadmin please push this update.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK advisory => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-64-OK MGA3-32-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0423.html
Status: NEW => RESOLVEDResolution: (none) => FIXED