Upstream has issued an advisory on March 18: https://www.drupal.org/SA-CORE-2015-001 The issues are fixed in 7.35. Freeze push requested for Cauldron. Updated package uploaded for Mageia 4. Advisory to come later. CVEs have been requested: http://openwall.com/lists/oss-security/2015/03/19/5 CVE-2015-2559 has been assigned for the first issue: http://openwall.com/lists/oss-security/2015/03/20/2 At least one CVE is expected to be assigned for the second issue, but hasn't been yet. References (so far): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2559 https://www.drupal.org/SA-CORE-2015-001 https://www.drupal.org/drupal-7.34 https://www.drupal.org/drupal-7.34-release-notes http://openwall.com/lists/oss-security/2015/03/20/2 Updated packages in core/updates_testing: ======================== drupal-7.35-1.mga4 drupal-mysql-7.35-1.mga4 drupal-postgresql-7.35-1.mga4 drupal-sqlite-7.35-1.mga4 from drupal-7.35-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Testing procedures: https://bugs.mageia.org/show_bug.cgi?id=14298#c6
Whiteboard: (none) => has_procedure
Testing on Mageia4x64 real hardware From current packages : --------------------- drupal-7.34-1.mga4 Created a drupal test site with mysql To updated packages : ------------------ drupal-7.35-1.mga4 drupal-mysql-7.35-1.mga4 drupal-postgresql-7.35-1.mga4 drupal-sqlite-7.35-1.mga4 # systemctl restart mysqld httpd With mysql : Browsed to previous drupal site, In section Reports, verified I was running new version. Made some few alterations, logged out back in, all OK Dropped drupal test database and user. Created new site with mysql, verified basic usage. Dropped drupal test db Did the same thing with postgresl db and sqlite db. All OK
CC: (none) => olchalWhiteboard: has_procedure => has_procedure MGA4-64-OK
Debian has issued an advisory for this on March 20: https://www.debian.org/security/2015/dsa-3200 Still waiting for the second part of the CVE request to get resolved.
URL: (none) => http://lwn.net/Vulnerabilities/637566/
CVE-2015-2749 and CVE-2015-2750 have been assigned, completing the request: http://openwall.com/lists/oss-security/2015/03/26/4 Advisory: ======================== Updated drupal packages fix security vulnerabilities: Password reset URLs can be forged under certain circumstances, allowing an attacker to gain access to another user's account without knowing the account's password (CVE-2015-2559). Under certain circumstances, malicious users can construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks. In addition, several URL-related API functions in Drupal 6 and 7 can be tricked into passing through external URLs when not intending to, potentially leading to additional open redirect vulnerabilities (CVE-2015-2749, CVE-2015-2750). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2559 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2749 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2750 https://www.drupal.org/SA-CORE-2015-001 https://www.drupal.org/drupal-7.35 https://www.drupal.org/drupal-7.35-release-notes http://openwall.com/lists/oss-security/2015/03/20/2 http://openwall.com/lists/oss-security/2015/03/26/4
Testing on Mageia4x32 real hardware From current package : -------------------- drupal-7.34-1.mga4 Created new site with mysql. Created an article, uploaded a picture, ... As I saw in Comment 4 that there was a vulnerability with users accounts,created 2 new users with 1st administrator account, logged out and in with each new user, adding comments, new articles ... To updated testing packages : --------------------------- drupal-7.35-1.mga4 drupal-mysql-7.35-1.mga4 Browsed back to previous site : http://localhost/drupal Verified in Reports/Status report it had updated to new version Logged in and out with each user, created a new one. Edited articles, created new ones All OK.
Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA4-32-OK
Validating, advisory uploaded. Please push to 4 core/updates.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure MGA4-64-OK MGA4-32-OK advisoryCC: (none) => remi, sysadmin-bugs
LWN reference for CVE-2015-2749 and CVE-2015-2750: http://lwn.net/Vulnerabilities/638218/
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0121.html
Status: NEW => RESOLVEDResolution: (none) => FIXED