Bug 8442 - [Update Request] Update drupal into latest version 7.x series
Summary: [Update Request] Update drupal into latest version 7.x series
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://drupal.org/SA-CORE-2012-004
Whiteboard: mga2-64-OK mga2-32-OK has_procedure
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2012-12-20 02:50 CET by Funda Wang
Modified: 2012-12-26 20:01 CET (History)
3 users (show)

See Also:
Source RPM: drupal-7.18-1.mga2
CVE:
Status comment:


Attachments

Description Funda Wang 2012-12-20 02:50:36 CET
Security vulnerabilities have been found in drupal shipped in Mageia 2 and its updates media:

SA-CORE-2012-004 - Drupal core - Multiple vulnerabilities:
* A vulnerability was identified that allows blocked users to appear in user search results, even when the search results are viewed by unprivileged users.
* A vulnerability was identified that allows information about uploaded files to be displayed in RSS feeds and search results to users that do not have the "view uploaded files" permission.
* Drupal core's file upload feature blocks the upload of many files that can be executed on the server by munging the filename. A malicious user could name a file in a manner that bypasses this munging of the filename in Drupal's input validation.

The drupal package has been updated to latest version 7.18 to fix above vulnerabilities.
Comment 1 claire robinson 2012-12-20 10:19:06 CET
SRPM: drupal-7.18-1.mga2.src.rpm
--------------------------------
drupal
drupal-mysql
drupal-postgresql
drupal-sqlite
Comment 2 claire robinson 2012-12-20 17:16:07 CET
Tested mga2 64 with mysql OK

Installed and configured. Added an article and basic post with images.
Updated and all still seems fine, can add content and upload images.
Old content is still OK

sqlite and postgresql still to do
Comment 3 claire robinson 2012-12-20 17:28:27 CET
Testing complete mga2 64 with sqlite
Comment 4 claire robinson 2012-12-20 17:30:04 CET
Note to other testers. Between installs you need to 'rm -rf /etc/drupal' to make a clean install.
Comment 5 claire robinson 2012-12-20 17:52:07 CET
Testing complete mga2 64

Postgresql install is a bit unusual so leaving some info to help..

# systemctl start postgresql.service
# su - postgres

$ createuser --pwprompt --encrypted --no-createrole --no-createdb drupal
Enter password for new role: 
Enter it again:
Shall the new role be a superuser? (y/n) n

The INSTALL.pgsql.txt file still needs updating here as it gives an error on the next command.

$ createdb --encoding=UTF8 --owner=drupal drupal

It's necessary to use --template=template0 as below

$ createdb --encoding=UTF8 --template=template0 --owner=drupal drupal

Exit back to root
$ exit


Other than this, the README.urpmi (the text displayed on install) can be followed.

Whiteboard: (none) => mga2-64-OK

Comment 6 David Walser 2012-12-20 20:25:07 CET
As seen here, CVEs have been assigned:
http://openwall.com/lists/oss-security/2012/12/20/1

CVE-2012-5651 for the access bypass in User module search.

CVE-2012-5653 for the arbitrary PHP code execution.

Note that the note about the access bypass in the upload module shouldn't be included in our advisory, as it only affects Drupal 6.

Advisory:
========================

Updated drupal packages fix security vulnerabilities:

A vulnerability was identified that allows blocked users to appear in user
search results, even when the search results are viewed by unprivileged
users (CVE-2012-5651).

Drupal core's file upload feature blocks the upload of many files that can be
executed on the server by munging the filename. A malicious user could name a
file in a manner that bypasses this munging of the filename in Drupal's input
validation (CVE-2012-5653).

The drupal package has been updated to latest version 7.18 to fix above
vulnerabilities.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5651
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5653
http://drupal.org/SA-CORE-2012-004
========================

Updated packages in core/updates_testing:
========================
drupal-7.18-1.mga2
drupal-mysql-7.18-1.mga2
drupal-postgresql-7.18-1.mga2
drupal-sqlite-7.18-1.mga2

from drupal-7.18-1.mga2.src.rpm

CC: (none) => luigiwalser
Severity: normal => major

Comment 7 claire robinson 2012-12-21 16:26:31 CET
Testing mga2 32
Comment 8 claire robinson 2012-12-21 17:41:41 CET
Note for next time. It's also necessary to..

rm /etc/drupal/sites/default/files/.ht.sqlite

if it's been used before as it's symlinked from /etc/drupal and rm -rf /etc/drupal leaves the old sqlite database behind.

Also as postgres user 'dropdb drupal' when finished.

If postgresql*-server won't start, check /var/log/postgres/postgresql isn't owned by firebird:firebird from previous testing. Delete if it is.
Comment 9 claire robinson 2012-12-21 17:49:56 CET
Testing complete mga2 32 with mysql, sqlite, postgresql9.1

Validating

Advisory & srpm in comment 6

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: mga2-64-OK => mga2-64-OK mga2-32-OK has_procedure

Comment 10 Thomas Backlund 2012-12-26 20:01:21 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0366

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.