Debian has issued an advisory on June 18: https://www.debian.org/security/2015/dsa-3291 The issues are fixed upstream in Drupal 7.38. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Updated packages uploaded for Mageia 4, Mageia 5, and Cauldron. Testing procedures: https://bugs.mageia.org/show_bug.cgi?id=14298#c6 Advisory: ======================== Updated drupal packages fix security vulnerabilities: Incorrect cache handling made private content viewed by "user 1" exposed to other, non-privileged users (CVE-2015-3231). A flaw in the Field UI module made it possible for attackers to redirect users to malicious sites (CVE-2015-3232). Due to insufficient URL validation, the Overlay module could be used to redirect users to malicious sites (CVE-2015-3233). The OpenID module allowed an attacker to log in as other users, including administrators (CVE-2015-3234). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3231 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3232 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3233 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3234 https://www.drupal.org/SA-CORE-2015-002 https://www.drupal.org/drupal-7.36 https://www.drupal.org/drupal-7.36-release-notes https://www.drupal.org/drupal-7.37 https://www.drupal.org/drupal-7.37-release-notes https://www.drupal.org/drupal-7.38 https://www.drupal.org/drupal-7.38-release-notes https://www.debian.org/security/2015/dsa-3291 ======================== Updated packages in core/updates_testing: ======================== drupal-7.38-1.mga4 drupal-mysql-7.38-1.mga4 drupal-postgresql-7.38-1.mga4 drupal-sqlite-7.38-1.mga4 drupal-7.38-1.mga5 drupal-mysql-7.38-1.mga5 drupal-postgresql-7.38-1.mga5 drupal-sqlite-7.38-1.mga5 from SRPMS: drupal-7.38-1.mga4.src.rpm drupal-7.38-1.mga5.src.rpm
Version: Cauldron => 5Assignee: bugsquad => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => MGA4TOO has_procedureSeverity: normal => critical
MGA4-64 on HP Probook 6555b KDE No installation issues. Followed procedure as per bug14298 Comment4 up to starting the local drupal site and created a basic page. Info: the site to start drupal once it has been configured is http://localhost/drupal (copied from bug13271, is wrong in bug14298).
CC: (none) => herman.viaeneWhiteboard: MGA4TOO has_procedure => MGA4TOO has_procedure MGA4-64-OK
MGA5-64 on HP Probook 6555b KDE No installation issues. Followed procedure as per bug14298 Comment4 up to starting the local drupal site and created a basic page.
Whiteboard: MGA4TOO has_procedure MGA4-64-OK => MGA4TOO has_procedure MGA4-64-OK MGA5-64-OK
Should this be tested on i586 systems too or can we skip it? Because I can test it in VMs.
CC: (none) => shlomif
These are noarch, so it doesn't need to be tested on i586. Also, MrsB said it's OK to validate after testing on one arch this week, to try to get the list down. This one's ready to be validated.
Advisory committed to svn. Someone from the sysadmin team please push 16147.adv to updates for Mageia 4 and 5.
Keywords: (none) => validated_updateWhiteboard: MGA4TOO has_procedure MGA4-64-OK MGA5-64-OK => MGA4TOO has_procedure MGA4-64-OK MGA5-64-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0253.html
Status: NEW => RESOLVEDResolution: (none) => FIXED