Upstream has issued an advisory on June 15: https://www.drupal.org/SA-CORE-2016-002 I haven't seen a CVE or CVE request for this yet. Updated package uploaded for Mageia 5. Advisory: ======================== Updated drupal packages fix security vulnerability: A vulnerability exists in the User module, where if some specific contributed or custom code triggers a rebuild of the user profile form, a registered user can be granted all user roles on the site. This would typically result in the user gaining administrative access (SA-CORE-2016-002). References: https://www.drupal.org/SA-CORE-2016-002 https://www.drupal.org/drupal-7.44 https://www.drupal.org/drupal-7.44-release-notes ======================== Updated packages in core/updates_testing: ======================== drupal-7.44-1.mga5 drupal-mysql-7.44-1.mga5 drupal-postgresql-7.44-1.mga5 drupal-sqlite-7.44-1.mga5 from drupal-7.44-1.mga5.src.rpm
Testing procedures: https://bugs.mageia.org/show_bug.cgi?id=14298#c6
Whiteboard: (none) => has_procedure
Testing complete mga5 64 updated with drupal-mysql, installed with drupal-sqlite. no issues.
Whiteboard: has_procedure => has_procedure mga5-64-ok
Validating
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Whiteboard: has_procedure mga5-64-ok => has_procedure advisory mga5-64-ok
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0245.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
CVE request: http://openwall.com/lists/oss-security/2016/07/13/4
(In reply to David Walser from comment #5) > CVE request: > http://openwall.com/lists/oss-security/2016/07/13/4 CVE-2016-6211: http://openwall.com/lists/oss-security/2016/07/13/7
Summary: drupal new security issue fixed upstream in 7.44 => drupal new security issue fixed upstream in 7.44 (CVE-2016-6211)