Upstream has issued an advisory on August 19: https://www.drupal.org/SA-CORE-2015-003 CVEs have been requested: http://openwall.com/lists/oss-security/2015/08/21/5 Updated packages uploaded for Mageia 4, Mageia 5, and Cauldron. Advisory to come later. References: https://www.drupal.org/SA-CORE-2015-003 https://www.drupal.org/drupal-7.39 https://www.drupal.org/drupal-7.39-release-notes ======================== Updated packages in core/updates_testing: ======================== drupal-7.39-1.mga4 drupal-mysql-7.39-1.mga4 drupal-postgresql-7.39-1.mga4 drupal-sqlite-7.39-1.mga4 drupal-7.39-1.mga5 drupal-mysql-7.39-1.mga5 drupal-postgresql-7.39-1.mga5 drupal-sqlite-7.39-1.mga5 from SRPMS: drupal-7.39-1.mga4.src.rpm drupal-7.39-1.mga5.src.rpm Reproducible: Steps to Reproduce:
Testing procedures: https://bugs.mageia.org/show_bug.cgi?id=14298#c6
Whiteboard: (none) => MGA4TOO has_procedure
While I still have the evidence, a re-cap of installing & configuring Drupal with PostgreSQL (assumed already installed). - Install: drupal drupal-postgresql - Create the PostgreSQL Drupal user and database [from the Drupal site]: $ createuser -U postgres --pwprompt --encrypted --no-adduser --no-createdb <username> $ createdb -U postgres --encoding=UNICODE --owner=<username> <DBname> - Follow the package post-installation commands; [earlier references to /usr/share/drupal/sites/ are superseded, now linked to /etc/drupal/sites/ ]: # cp /etc/drupal/sites/default/default.settings.php /etc/drupal/sites/default/settings.php # chmod 666 /etc/drupal/sites/default/settings.php - Configure Drupal from its web interface http://http//localhost/drupal/install.php Be careful what you define, and note it well, as you follow each step. It wants real e-mail addresses when it asks for them. - After the configuration, adjust permissions: # chmod 644 /etc/drupal/sites/default/settings.php /etc/drupal/sites/default/ is already correctly 755 (drwxr-xr-x). - Thereafter, "Visit your new site" is the local Drupal URL: http://localhost/drupal/
CC: (none) => lewyssmith
Testing MGA5 x64 (OK) Installed & configured as Comment 2 above: drupal-7.38-1.mga5 drupal-postgresql-7.38-1.mga5 Played with it a bit, created a few mini pages. Updated to: drupal-7.39-1.mga5 drupal-postgresql-7.39-1.mga5 Played a little more, in blissful ignorance. It still works, so this update deemed OK.
Whiteboard: MGA4TOO has_procedure => MGA4TOO has_procedure MGA5-64-OK
Testing MGA4 x64 (OK) Updated existing Drupal (using PostgreSQL) to: drupal-7.39-1.mga4 drupal-postgresql-7.39-1.mga4 Playing with it subsequently revealed no problems.
Whiteboard: MGA4TOO has_procedure MGA5-64-OK => MGA4TOO has_procedure MGA5-64-OK MGA4-64-OK
We now have CVEs: http://openwall.com/lists/oss-security/2015/08/27/1 Advisory: ======================== Updated drupal packages fix security vulnerabilities: Cross-site scripting (XSS) vulnerability in the Autocomplete system in Drupal before 7.39 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, related to uploading files (CVE-2015-6658). SQL injection vulnerability in the SQL comment filtering system in the Database API in Drupal before 7.39 allows remote attackers to execute arbitrary SQL commands via an SQL comment (CVE-2015-6659). The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly validate the form token, which allows remote attackers to conduct CSRF attacks that upload files in a different user's account via vectors related to "file upload value callbacks" (CVE-2015-6660). Drupal before 7.39 allows remote attackers to obtain sensitive node titles by reading the menu (CVE-2015-6661). Cross-site scripting (XSS) vulnerability in the Ajax handler in Drupal before 7.39 allows remote attackers to inject arbitrary web script or HTML via vectors involving a whitelisted HTML element, possibly related to the "a" tag (CVE-2015-6665). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6658 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6659 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6660 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6661 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6665 https://www.drupal.org/SA-CORE-2015-003 https://www.drupal.org/drupal-7.39 https://www.drupal.org/drupal-7.39-release-notes
As this is noarch, it could be validated.
Validating. Needs someone to upload the advisory though.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Whiteboard: MGA4TOO has_procedure MGA5-64-OK MGA4-64-OK => MGA4TOO has_procedure MGA5-64-OK MGA4-64-OK advisory
Advisory uploaded.
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0328.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/655997/