Bug 17815 - drupal new security issues fixed upstream in 7.43
Summary: drupal new security issues fixed upstream in 7.43
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/677958/
Whiteboard: has_procedure advisory MGA5-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-02-24 22:51 CET by David Walser
Modified: 2016-03-16 12:27 CET (History)
2 users (show)

See Also:
Source RPM: drupal-7.41-1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-02-24 22:51:30 CET 
Upstream has issued an advisory today (February 24):
https://www.drupal.org/SA-CORE-2016-001

CVEs have been requested:
http://openwall.com/lists/oss-security/2016/02/24/19

Updated package uploaded for Mageia 5.

Advisory to come later.

References:
https://www.drupal.org/SA-CORE-2016-001
https://www.drupal.org/drupal-7.42
https://www.drupal.org/drupal-7.42-release-notes
https://www.drupal.org/drupal-7.43
https://www.drupal.org/drupal-7.43-release-notes
========================

Updated packages in core/updates_testing:
========================
drupal-7.43-1.mga5
drupal-mysql-7.43-1.mga5
drupal-postgresql-7.43-1.mga5
drupal-sqlite-7.43-1.mga5

from drupal-7.43-1.mga5.src.rpm
Comment 1 David Walser 2016-02-24 22:51:47 CET 
Testing procedures:
https://bugs.mageia.org/show_bug.cgi?id=14298#c6

Whiteboard: (none) => has_procedure

Comment 2 Lewis Smith 2016-02-26 20:24:41 CET 
Testing MGA5 x64 with PostgreSQL

I had all this already installed, so updated to:
 drupal-7.43-1.mga5
 drupal-postgresql-7.43-1.mga5
and played with it a bit, editing, upload of an image. All seems OK.

CC: (none) => lewyssmith
Whiteboard: has_procedure => has_procedure MGA5-64-OK

Comment 3 claire robinson 2016-02-27 16:24:28 CET 
Testing complete mysql (mariadb)

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 claire robinson 2016-02-27 21:16:02 CET 
This one needs an advisory please David
Comment 5 David Walser 2016-02-27 21:31:41 CET 
Still no CVEs :o(

Advisory:
========================

Updated drupal packages fix security vulnerabilities:

The drupal package has been update to version 7.43, which fixes several
security issues and other bugs.  See the upstream advisory and release
notes for details.

References:
https://www.drupal.org/SA-CORE-2016-001
https://www.drupal.org/drupal-7.42
https://www.drupal.org/drupal-7.42-release-notes
https://www.drupal.org/drupal-7.43
https://www.drupal.org/drupal-7.43-release-notes
Comment 6 claire robinson 2016-02-27 21:44:02 CET 
Thanks. Advisory uploaded.

Whiteboard: has_procedure MGA5-64-OK => has_procedure advisory MGA5-64-OK

Comment 7 David Walser 2016-02-29 23:09:24 CET 
Debian has issued an advisory for this on February 28:
https://www.debian.org/security/2016/dsa-3498

URL: (none) => http://lwn.net/Vulnerabilities/677958/

Comment 8 Mageia Robot 2016-03-02 19:30:12 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0087.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 9 David Walser 2016-03-16 12:27:04 CET 
CVEs have finally been assigned for this:
http://openwall.com/lists/oss-security/2016/03/15/10

CVE-2016-316[2-4], CVE-2016-316[89], CVE-2016-3170 applied to us.
Note You need to log in before you can comment on or make changes to this bug.