Split bug 5844 so drupal mga2 could be pushed. The Mga1 update can be handled separately in that same bug. Advisory: ======================== Updated drupal packages fix security vulnerabilities: Drupal core's text filtering system provides several features including removing inappropriate HTML tags and automatically linking content that appears to be a link. A pattern in Drupal's text matching was found to be inefficient with certain specially crafted strings. This vulnerability is mitigated by the fact that users must have the ability to post content sent to the filter system such as a role with the "post comments" or "Forum topic: Create new content" permission (CVE-2012-1588). Drupal core's Form API allows users to set a destination, but failed to validate that the URL was internal to the site. This weakness could be abused to redirect the login to a remote site with a malicious script that harvests the login credentials and redirects to the live site. This vulnerability is mitigated only by the end user's ability to recognize a URL with malicious query parameters to avoid the social engineering required to exploit the problem (CVE-2012-1589). Drupal core's forum lists fail to check user access to nodes when displaying them in the forum overview page. If an unpublished node was the most recently updated in a forum then users who should not have access to unpublished forum posts were still be able to see meta-data about the forum post such as the post title (CVE-2012-1590). Drupal core provides the ability to have private files, including images, and Image Styles which create derivative images from an original image that may differ, for example, in size or saturation. Drupal core failed to properly terminate the page request for cached image styles allowing users to access image derivatives for images they should not be able to view. Furthermore, Drupal didn't set the right headers to prevent image styles from being cached in the browser (CVE-2012-1591). Drupal core provides the ability to list nodes on a site at admin/content. Drupal core failed to confirm a user viewing that page had access to each node in the list. This vulnerability only concerns sites running a contributed node access module and is mitigated by the fact that users must have a role with the "Access the content overview page" permission. Unpublished nodes were not displayed to users who only had the "Access the content overview page" permission (CVE-2012-2153). The request_path function in includes/bootstrap.inc in Drupal 7.14 and earlier allows remote attackers to obtain sensitive information via the q[] parameter to index.php, which reveals the installation path in an error message (CVE-2012-2922). A bug in the installer code was identified that allows an attacker to re-install Drupal using an external database server under certain transient conditions. This could allow the attacker to execute arbitrary PHP code on the original server (Drupal SA-CORE-2012-003). For sites using the core OpenID module, an information disclosure vulnerability was identified that allows an attacker to read files on the local filesystem by attempting to log in to the site using a malicious OpenID server (Drupal SA-CORE-2012-003). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1588 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1589 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1590 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1591 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2153 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2922 http://drupal.org/node/1557938 http://drupal.org/node/1815912 http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081721.html ======================== Updated packages in core/updates_testing: ======================== drupal-7.16-1.mga2 drupal-mysql-7.16-1.mga2 drupal-postgresql-7.16-1.mga2 drupal-sqlite-7.16-1.mga2 from SRPMS: drupal-7.16-1.mga2.src.rpm
Validated on bug 5844 but needs to be pushed separately from the update for mga1. Could sysadmin please push these mga2 packages from core/updates_testing to core/updates. Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: (none) => mga2-32-OK mga2-64-OKSeverity: normal => critical
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0320
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED