Upstream has issued an advisory on October 21: https://www.drupal.org/SA-CORE-2015-004 A CVE has been requested: http://openwall.com/lists/oss-security/2015/10/21/6 Updated packages uploaded for Mageia 5 and Cauldron. Advisory to come later. References: https://www.drupal.org/SA-CORE-2015-004 https://www.drupal.org/drupal-7.40 https://www.drupal.org/drupal-7.40-release-notes https://www.drupal.org/drupal-7.41 https://www.drupal.org/drupal-7.41-release-notes ======================== Updated packages in core/updates_testing: ======================== drupal-7.41-1.mga5 drupal-mysql-7.41-1.mga5 drupal-postgresql-7.41-1.mga5 drupal-sqlite-7.41-1.mga5 from drupal-7.41-1.mga5.src.rpm Reproducible: Steps to Reproduce:
Testing procedures: https://bugs.mageia.org/show_bug.cgi?id=14298#c6
Whiteboard: (none) => has_procedure
CVE-2015-7943 assigned: http://openwall.com/lists/oss-security/2015/10/23/6 Advisory: ======================== Updated drupal packages fix security vulnerability: The Overlay module in Drupal core displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module does not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability (CVE-2015-7943). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7943 https://www.drupal.org/SA-CORE-2015-004 https://www.drupal.org/drupal-7.40 https://www.drupal.org/drupal-7.40-release-notes https://www.drupal.org/drupal-7.41 https://www.drupal.org/drupal-7.41-release-notes http://openwall.com/lists/oss-security/2015/10/23/6
Summary: drupal new security issues fixed upstream in 7.41 => drupal new security issue fixed upstream in 7.41 (CVE-2015-7943)
CC: (none) => davidwhodginsWhiteboard: has_procedure => has_procedure advisory
URL: (none) => http://lwn.net/Vulnerabilities/662052/
Testing M5 x64 using PostgreSQL. Updated from: drupal-7.39-1.mga5 drupal-postgresql-7.39-1.mga5 to: drupal-7.41-1.mga5 drupal-postgresql-7.41-1.mga5 Played with the result, edited a page, added a user. All seems OK within my limited knowledge of how to drive this thing. Update deemed OK. It would be nice if a 32-bit tester could use a different database, to try two variables at once.
CC: (none) => lewyssmithWhiteboard: has_procedure advisory => has_procedure advisory MGA5-64-OK
Potential issue: Files (.php, .txt etc.) aswell as directories under /etc/drupal/sites are executable with 755 apache:apache permissions. Previous version is the same so it may always have been this way. Other than the above, installed and tested ok mga5 32 mysql. Created an article with an image . Adding feedback for now.
Whiteboard: has_procedure advisory MGA5-64-OK => has_procedure advisory MGA5-64-OK feedback
Nice catch, that's definitely wrong. An %attr with 0755 was on the line for /etc/drupal/sites, but not marked as %dir. The 0755 should be unnecessary, so I deleted it. drupal-7.41-1.1.mga5 submitted.
Whiteboard: has_procedure advisory MGA5-64-OK feedback => has_procedure MGA5-64-OK
Retested x86_64, confirmed the fix. All seems ok. Validating drupal-7.41-1.1.mga5.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory updated in SVN.
Whiteboard: has_procedure MGA5-64-OK => has_procedure advisory MGA5-64-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0425.html
Status: NEW => RESOLVEDResolution: (none) => FIXED