Testing procedures:
https://bugs.mageia.org/show_bug.cgi?id=14298#c6

Whiteboard: (none) => MGA4TOO has_procedure

While I still have the evidence, a re-cap of installing & configuring Drupal with PostgreSQL (assumed already installed).
- Install:
 drupal
 drupal-postgresql

- Create the PostgreSQL Drupal user and database [from the Drupal site]:
 $ createuser -U postgres --pwprompt --encrypted --no-adduser --no-createdb <username>
 $ createdb -U postgres --encoding=UNICODE --owner=<username> <DBname>

- Follow the package post-installation commands; [earlier references to /usr/share/drupal/sites/ are superseded, now linked to /etc/drupal/sites/ ]:
 # cp /etc/drupal/sites/default/default.settings.php /etc/drupal/sites/default/settings.php
 # chmod 666 /etc/drupal/sites/default/settings.php

- Configure Drupal from its web interface
 http://http//localhost/drupal/install.php
Be careful what you define, and note it well, as you follow each step. It wants real e-mail addresses when it asks for them.

- After the configuration, adjust permissions:
 # chmod 644 /etc/drupal/sites/default/settings.php
/etc/drupal/sites/default/ is already correctly 755 (drwxr-xr-x).

- Thereafter, "Visit your new site" is the local Drupal URL:
 http://localhost/drupal/

CC: (none) => lewyssmith

Testing MGA5 x64 (OK)

Installed & configured as Comment 2 above:
 drupal-7.38-1.mga5
 drupal-postgresql-7.38-1.mga5
Played with it a bit, created a few mini pages.

Updated to:
 drupal-7.39-1.mga5
 drupal-postgresql-7.39-1.mga5
Played a little more, in blissful ignorance. It still works, so this update deemed OK.

Whiteboard: MGA4TOO has_procedure => MGA4TOO has_procedure MGA5-64-OK

Testing MGA4 x64 (OK)

Updated existing Drupal (using PostgreSQL) to:
 drupal-7.39-1.mga4
 drupal-postgresql-7.39-1.mga4

Playing with it subsequently revealed no problems.

Whiteboard: MGA4TOO has_procedure MGA5-64-OK => MGA4TOO has_procedure MGA5-64-OK MGA4-64-OK

We now have CVEs:
http://openwall.com/lists/oss-security/2015/08/27/1

Advisory:
========================

Updated drupal packages fix security vulnerabilities:

Cross-site scripting (XSS) vulnerability in the Autocomplete system in Drupal
before 7.39 allows remote attackers to inject arbitrary web script or HTML
via a crafted URL, related to uploading files (CVE-2015-6658).

SQL injection vulnerability in the SQL comment filtering system in the
Database API in Drupal before 7.39 allows remote attackers to execute
arbitrary SQL commands via an SQL comment (CVE-2015-6659).

The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly
validate the form token, which allows remote attackers to conduct CSRF
attacks that upload files in a different user's account via vectors related
to "file upload value callbacks" (CVE-2015-6660).

Drupal before 7.39 allows remote attackers to obtain sensitive node titles by
reading the menu (CVE-2015-6661).

Cross-site scripting (XSS) vulnerability in the Ajax handler in Drupal before
7.39 allows remote attackers to inject arbitrary web script or HTML via
vectors involving a whitelisted HTML element, possibly related to the "a" tag
(CVE-2015-6665).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6658
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6659
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6660
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6661
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6665
https://www.drupal.org/SA-CORE-2015-003
https://www.drupal.org/drupal-7.39
https://www.drupal.org/drupal-7.39-release-notes

As this is noarch, it could be validated.

Validating. Needs someone to upload the advisory though.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Advisory uploaded.

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0328.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED