Upstream has issued an advisory on November 16: https://www.drupal.org/SA-CORE-2016-005 CVEs have been requested: http://www.openwall.com/lists/oss-security/2016/11/18/8 Updated package uploaded for Mageia 5. Advisory to come later. References: https://www.drupal.org/SA-CORE-2016-005 https://www.drupal.org/drupal-7.45 https://www.drupal.org/drupal-7.45-release-notes https://www.drupal.org/drupal-7.46 https://www.drupal.org/drupal-7.46-release-notes https://www.drupal.org/drupal-7.47 https://www.drupal.org/drupal-7.47-release-notes https://www.drupal.org/drupal-7.48 https://www.drupal.org/drupal-7.48-release-notes https://www.drupal.org/drupal-7.49 https://www.drupal.org/drupal-7.49-release-notes https://www.drupal.org/drupal-7.50 https://www.drupal.org/drupal-7.50-release-notes https://www.drupal.org/drupal-7.51 https://www.drupal.org/drupal-7.51-release-notes https://www.drupal.org/drupal-7.52 https://www.drupal.org/drupal-7.52-release-notes ======================== Updated packages in core/updates_testing: ======================== drupal-7.52-1.mga5 drupal-mysql-7.52-1.mga5 drupal-postgresql-7.52-1.mga5 drupal-sqlite-7.52-1.mga5 from drupal-7.52-1.mga5.src.rpm
Testing procedures: https://bugs.mageia.org/show_bug.cgi?id=14298#c6
Whiteboard: (none) => has_procedure
Debian has issued an advisory for this on November 17: https://www.debian.org/security/2016/dsa-3718
URL: (none) => http://lwn.net/Vulnerabilities/706841/
CVE-2016-9449 and CVE-2016-9451: http://openwall.com/lists/oss-security/2016/11/18/16 Advisory: ======================== Updated drupal packages fix security vulnerabilities: Inconsistent name for term access query; information on taxonomy terms might have been disclosed to unprivileged users (CVE-2016-9449). Confirmation forms allow external URLs to be injected (CVE-2016-9451). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9449 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9451 https://www.drupal.org/SA-CORE-2016-005 https://www.drupal.org/drupal-7.45 https://www.drupal.org/drupal-7.45-release-notes https://www.drupal.org/drupal-7.46 https://www.drupal.org/drupal-7.46-release-notes https://www.drupal.org/drupal-7.47 https://www.drupal.org/drupal-7.47-release-notes https://www.drupal.org/drupal-7.48 https://www.drupal.org/drupal-7.48-release-notes https://www.drupal.org/drupal-7.49 https://www.drupal.org/drupal-7.49-release-notes https://www.drupal.org/drupal-7.50 https://www.drupal.org/drupal-7.50-release-notes https://www.drupal.org/drupal-7.51 https://www.drupal.org/drupal-7.51-release-notes https://www.drupal.org/drupal-7.52 https://www.drupal.org/drupal-7.52-release-notes http://openwall.com/lists/oss-security/2016/11/18/16
Summary: drupal new security issues fixed upstream in 7.52 => drupal new security issues fixed upstream in 7.52 (CVE-2016-9449 and CVE-2016-9451)
LWN references with the CVEs: https://lwn.net/Vulnerabilities/707038/ https://lwn.net/Vulnerabilities/707041/
CC: (none) => davidwhodginsWhiteboard: has_procedure => has_procedure advisory
Testing M5 x64 real hardware. I already have Drupal installed, using Postgres, so: UPDATED to: drupal-7.52-1.mga5, drupal-postgresql-7.52-1.mga5 without problems. Played with it (http://localhost/drupal), added an Article with a picture, modified a previous one, edited a Basic Page. OK for me. If the 32-bit tester can use MariaDB/MySQL, so much the better.
CC: (none) => lewyssmithWhiteboard: has_procedure advisory => has_procedure advisory MGA5-64-OK
Mageia5-32 on Virtualbox 5.0.8 with guest additions and real hardware (AMD free driver) I installedd MariaDB with Drupal 7.52-1.mag5 without problem. Then, I created some pages with texts, images, weblinks ... Everything has been working without issues for 4 hours now. Same results on Virutalbox and real hardware so it's ok for me.
CC: (none) => youpburden
(In reply to youpburden from comment #6) > Mageia5-32 on Virtualbox 5.0.8 with guest additions and real hardware (AMD > free driver) > > I installedd MariaDB with Drupal 7.52-1.mag5 without problem. > > Then, I created some pages with texts, images, weblinks ... > Everything has been working without issues for 4 hours now. > > Same results on Virutalbox and real hardware so it's ok for me. It's been a week now and Drupal is still working fine. MGA5-32-OK
Whiteboard: has_procedure advisory MGA5-64-OK => has_procedure advisory MGA5-64-OK MGA5-32-OK
Keywords: (none) => validated_updateCVE: (none) => CVE-2016-9449, CVE-2016-9450, CVE-2016-9452, CVE-2016-9451CC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0413.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
CVE: CVE-2016-9449, CVE-2016-9450, CVE-2016-9452, CVE-2016-9451 => CVE-2016-9449 CVE-2016-9451