Bug 14614 - drupal new security issues CVE-2014-9015 and CVE-2014-9016
Summary: drupal new security issues CVE-2014-9015 and CVE-2014-9016
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/622604/
Whiteboard: MGA3TOO has_procedure advisory MGA3-6...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-11-20 15:29 CET by David Walser
Modified: 2014-11-26 18:30 CET (History)
3 users (show)

See Also:
Source RPM: drupal-7.32-1.mga4.src.rpm
CVE:
Status comment:


Attachments
Drupal testing procedure (3.63 KB, text/plain)
2014-11-23 18:36 CET, olivier charles
Details

Description David Walser 2014-11-20 15:29:54 CET
Upstream has issued an advisory on November 19:
https://www.drupal.org/SA-CORE-2014-006

The issue is fixed upstream in 7.34:
https://www.drupal.org/drupal-7.34-release-notes

There has also been a 7.33 bugfix release since our last update:
https://www.drupal.org/drupal-7.33-release-notes

The update is checked into Mageia 3, Mageia 4, and Cauldron SVN.

A freeze push has been requested for Cauldron.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-11-20 15:30:16 CET
There doesn't appear to be a CVE yet, but it was inquired about here:
http://openwall.com/lists/oss-security/2014/11/20/3

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 2 David Walser 2014-11-20 16:05:56 CET
CVE-2014-9015 and CVE-2014-9016 have been assigned:
http://openwall.com/lists/oss-security/2014/11/20/21

Summary: drupal new security issue fixed upstream in 7.34 => drupal new security issues CVE-2014-9015 and CVE-2014-9016

Comment 3 David Walser 2014-11-20 16:15:28 CET
Updated packages uploaded for Mageia 3 and Mageia 4.

Freeze push request still pending for Cauldron.

Advisory:
========================

Updated drupal packages fix security vulnerability:

In Drupal before 7.34, a specially crafted request can give a user access to
another user's session, allowing an attacker to hijack a random session
(CVE-2014-9015).

Drupal 7 includes a password hashing API to ensure that user supplied
passwords are not stored in plain text. A vulnerability in this API in Drupal
before 7.34 allows an attacker to send specially crafted requests resulting
in CPU and memory exhaustion. This may lead to the site becoming unavailable
or unresponsive (denial of service). This vulnerability can be exploited by
anonymous users (CVE-2014-9016).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9015
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9016
https://www.drupal.org/SA-CORE-2014-006
https://drupal.org/drupal-7.33
https://drupal.org/drupal-7.33-release-notes
https://drupal.org/drupal-7.34
https://drupal.org/drupal-7.34-release-notes
http://openwall.com/lists/oss-security/2014/11/20/21
========================

Updated packages in core/updates_testing:
========================
drupal-7.34-1.mga3
drupal-mysql-7.34-1.mga3
drupal-postgresql-7.34-1.mga3
drupal-sqlite-7.34-1.mga3
drupal-7.34-1.mga4
drupal-mysql-7.34-1.mga4
drupal-postgresql-7.34-1.mga4
drupal-sqlite-7.34-1.mga4

from SRPMS:
drupal-7.34-1.mga3.src.rpm
drupal-7.34-1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 4 Rémi Verschelde 2014-11-20 21:34:12 CET
Procedures: https://bugs.mageia.org/show_bug.cgi?id=13271#c16 and https://bugs.mageia.org/show_bug.cgi?id=14298#c4

CC: (none) => remi
Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 5 David Walser 2014-11-21 19:00:56 CET
Debian has issued an advisory for this on November 20:
https://www.debian.org/security/2014/dsa-3075

Advisory:
========================

Updated drupal packages fix security vulnerability:

Aaron Averill discovered that a specially crafted request can give a user
access to another user's session, allowing an attacker to hijack a random
session (CVE-2014-9015).

Michael Cullum, Javier Nieto and Andres Rojas Guerrero discovered that the
password hashing API allows an attacker to send specially crafted requests
resulting in CPU and memory exhaustion. This may lead to the site becoming
unavailable or unresponsive (denial of service) (CVE-2014-9016).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9015
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9016
https://www.drupal.org/SA-CORE-2014-006
https://drupal.org/drupal-7.33
https://drupal.org/drupal-7.33-release-notes
https://drupal.org/drupal-7.34
https://drupal.org/drupal-7.34-release-notes
https://www.debian.org/security/2014/dsa-3075

URL: (none) => http://lwn.net/Vulnerabilities/622604/

Comment 6 olivier charles 2014-11-21 23:46:19 CET
Testing on Mageia3-64 real HW

Current packages :
----------------

$ rpm -q drupal
drupal-7.32-1.mga3

Following procedures mentionned in comment 4

Proceeded with a new installation with mysql of Drupal
When connecting to database, I was warned that Drupal version was outdated.
Could connect to drupal start page and use it as expected.

Updated to testing packages :
---------------------------
# rpm -q drupal
drupal-7.34-1.mga3

* with drupal-mysql-7.34-1.mga3.noarch

Using mysqld could connect to previous installation.
Dropped database and proceeded with new installation.
Created some pages, installed modules, changed some configurations, log in, log out.

All ok.

* with drupal-postgresql-7.34-1.mga3.noarch

Could install and use it without any problems. Drupal status report showed everything was ok.

* with drupal-sqlite-7.34-1.mga3.noarch

After setting 
# chmod a+w sites/default/settings.php
# chmod a+w sites/default

Could install and use it without any problems. Drupal status report showed everything was ok.

Conclusion :
----------
drupal-7.34-1.mga3 (update testing package) functionnal with mysql, postgresql, sqlite.

Good for me.

CC: (none) => olchal
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-64-OK

Comment 7 olivier charles 2014-11-23 18:36:29 CET
Created attachment 5634 [details]
Drupal testing procedure
Comment 8 olivier charles 2014-11-23 18:39:33 CET
Tested on Mageia4-64 real hardware

With current package, tested with mysql :
drupal-7.32-1.mga4
drupal-mysql-7.32-1.mga4

With update testing packages, tested with mysql, postgresql, sqlite:
drupal-7.34-1.mga4
drupal-mysql-7.34-1.mga4
drupal-postgresql-7.34-1.mga4
drupal-sqlite-7.34-1.mga4

All OK.

In attachment, assembled the 2 procedures mentionned in comment 4 for future testing.

Whiteboard: MGA3TOO has_procedure MGA3-64-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK

Comment 9 claire robinson 2014-11-26 11:20:17 CET
Validating for inclusion in mga3. Advisory uploaded.

Please push to updates

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK => MGA3TOO has_procedure advisory MGA3-64-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2014-11-26 18:30:13 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0492.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.