Upstream has issued an advisory on November 19: https://www.drupal.org/SA-CORE-2014-006 The issue is fixed upstream in 7.34: https://www.drupal.org/drupal-7.34-release-notes There has also been a 7.33 bugfix release since our last update: https://www.drupal.org/drupal-7.33-release-notes The update is checked into Mageia 3, Mageia 4, and Cauldron SVN. A freeze push has been requested for Cauldron. Reproducible: Steps to Reproduce:
There doesn't appear to be a CVE yet, but it was inquired about here: http://openwall.com/lists/oss-security/2014/11/20/3
Whiteboard: (none) => MGA4TOO, MGA3TOO
CVE-2014-9015 and CVE-2014-9016 have been assigned: http://openwall.com/lists/oss-security/2014/11/20/21
Summary: drupal new security issue fixed upstream in 7.34 => drupal new security issues CVE-2014-9015 and CVE-2014-9016
Updated packages uploaded for Mageia 3 and Mageia 4. Freeze push request still pending for Cauldron. Advisory: ======================== Updated drupal packages fix security vulnerability: In Drupal before 7.34, a specially crafted request can give a user access to another user's session, allowing an attacker to hijack a random session (CVE-2014-9015). Drupal 7 includes a password hashing API to ensure that user supplied passwords are not stored in plain text. A vulnerability in this API in Drupal before 7.34 allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service). This vulnerability can be exploited by anonymous users (CVE-2014-9016). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9015 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9016 https://www.drupal.org/SA-CORE-2014-006 https://drupal.org/drupal-7.33 https://drupal.org/drupal-7.33-release-notes https://drupal.org/drupal-7.34 https://drupal.org/drupal-7.34-release-notes http://openwall.com/lists/oss-security/2014/11/20/21 ======================== Updated packages in core/updates_testing: ======================== drupal-7.34-1.mga3 drupal-mysql-7.34-1.mga3 drupal-postgresql-7.34-1.mga3 drupal-sqlite-7.34-1.mga3 drupal-7.34-1.mga4 drupal-mysql-7.34-1.mga4 drupal-postgresql-7.34-1.mga4 drupal-sqlite-7.34-1.mga4 from SRPMS: drupal-7.34-1.mga3.src.rpm drupal-7.34-1.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Procedures: https://bugs.mageia.org/show_bug.cgi?id=13271#c16 and https://bugs.mageia.org/show_bug.cgi?id=14298#c4
CC: (none) => remiWhiteboard: MGA3TOO => MGA3TOO has_procedure
Debian has issued an advisory for this on November 20: https://www.debian.org/security/2014/dsa-3075 Advisory: ======================== Updated drupal packages fix security vulnerability: Aaron Averill discovered that a specially crafted request can give a user access to another user's session, allowing an attacker to hijack a random session (CVE-2014-9015). Michael Cullum, Javier Nieto and Andres Rojas Guerrero discovered that the password hashing API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service) (CVE-2014-9016). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9015 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9016 https://www.drupal.org/SA-CORE-2014-006 https://drupal.org/drupal-7.33 https://drupal.org/drupal-7.33-release-notes https://drupal.org/drupal-7.34 https://drupal.org/drupal-7.34-release-notes https://www.debian.org/security/2014/dsa-3075
URL: (none) => http://lwn.net/Vulnerabilities/622604/
Testing on Mageia3-64 real HW Current packages : ---------------- $ rpm -q drupal drupal-7.32-1.mga3 Following procedures mentionned in comment 4 Proceeded with a new installation with mysql of Drupal When connecting to database, I was warned that Drupal version was outdated. Could connect to drupal start page and use it as expected. Updated to testing packages : --------------------------- # rpm -q drupal drupal-7.34-1.mga3 * with drupal-mysql-7.34-1.mga3.noarch Using mysqld could connect to previous installation. Dropped database and proceeded with new installation. Created some pages, installed modules, changed some configurations, log in, log out. All ok. * with drupal-postgresql-7.34-1.mga3.noarch Could install and use it without any problems. Drupal status report showed everything was ok. * with drupal-sqlite-7.34-1.mga3.noarch After setting # chmod a+w sites/default/settings.php # chmod a+w sites/default Could install and use it without any problems. Drupal status report showed everything was ok. Conclusion : ---------- drupal-7.34-1.mga3 (update testing package) functionnal with mysql, postgresql, sqlite. Good for me.
CC: (none) => olchalWhiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-64-OK
Created attachment 5634 [details] Drupal testing procedure
Tested on Mageia4-64 real hardware With current package, tested with mysql : drupal-7.32-1.mga4 drupal-mysql-7.32-1.mga4 With update testing packages, tested with mysql, postgresql, sqlite: drupal-7.34-1.mga4 drupal-mysql-7.34-1.mga4 drupal-postgresql-7.34-1.mga4 drupal-sqlite-7.34-1.mga4 All OK. In attachment, assembled the 2 procedures mentionned in comment 4 for future testing.
Whiteboard: MGA3TOO has_procedure MGA3-64-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK
Validating for inclusion in mga3. Advisory uploaded. Please push to updates
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK => MGA3TOO has_procedure advisory MGA3-64-OK MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0492.html
Status: NEW => RESOLVEDResolution: (none) => FIXED