Security vulnerabilities have been found in drupal shipped in Mageia 2 and its updates media: SA-CORE-2012-004 - Drupal core - Multiple vulnerabilities: * A vulnerability was identified that allows blocked users to appear in user search results, even when the search results are viewed by unprivileged users. * A vulnerability was identified that allows information about uploaded files to be displayed in RSS feeds and search results to users that do not have the "view uploaded files" permission. * Drupal core's file upload feature blocks the upload of many files that can be executed on the server by munging the filename. A malicious user could name a file in a manner that bypasses this munging of the filename in Drupal's input validation. The drupal package has been updated to latest version 7.18 to fix above vulnerabilities.
SRPM: drupal-7.18-1.mga2.src.rpm -------------------------------- drupal drupal-mysql drupal-postgresql drupal-sqlite
Tested mga2 64 with mysql OK Installed and configured. Added an article and basic post with images. Updated and all still seems fine, can add content and upload images. Old content is still OK sqlite and postgresql still to do
Testing complete mga2 64 with sqlite
Note to other testers. Between installs you need to 'rm -rf /etc/drupal' to make a clean install.
Testing complete mga2 64 Postgresql install is a bit unusual so leaving some info to help.. # systemctl start postgresql.service # su - postgres $ createuser --pwprompt --encrypted --no-createrole --no-createdb drupal Enter password for new role: Enter it again: Shall the new role be a superuser? (y/n) n The INSTALL.pgsql.txt file still needs updating here as it gives an error on the next command. $ createdb --encoding=UTF8 --owner=drupal drupal It's necessary to use --template=template0 as below $ createdb --encoding=UTF8 --template=template0 --owner=drupal drupal Exit back to root $ exit Other than this, the README.urpmi (the text displayed on install) can be followed.
Whiteboard: (none) => mga2-64-OK
As seen here, CVEs have been assigned: http://openwall.com/lists/oss-security/2012/12/20/1 CVE-2012-5651 for the access bypass in User module search. CVE-2012-5653 for the arbitrary PHP code execution. Note that the note about the access bypass in the upload module shouldn't be included in our advisory, as it only affects Drupal 6. Advisory: ======================== Updated drupal packages fix security vulnerabilities: A vulnerability was identified that allows blocked users to appear in user search results, even when the search results are viewed by unprivileged users (CVE-2012-5651). Drupal core's file upload feature blocks the upload of many files that can be executed on the server by munging the filename. A malicious user could name a file in a manner that bypasses this munging of the filename in Drupal's input validation (CVE-2012-5653). The drupal package has been updated to latest version 7.18 to fix above vulnerabilities. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5651 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5653 http://drupal.org/SA-CORE-2012-004 ======================== Updated packages in core/updates_testing: ======================== drupal-7.18-1.mga2 drupal-mysql-7.18-1.mga2 drupal-postgresql-7.18-1.mga2 drupal-sqlite-7.18-1.mga2 from drupal-7.18-1.mga2.src.rpm
CC: (none) => luigiwalserSeverity: normal => major
Testing mga2 32
Note for next time. It's also necessary to.. rm /etc/drupal/sites/default/files/.ht.sqlite if it's been used before as it's symlinked from /etc/drupal and rm -rf /etc/drupal leaves the old sqlite database behind. Also as postgres user 'dropdb drupal' when finished. If postgresql*-server won't start, check /var/log/postgres/postgresql isn't owned by firebird:firebird from previous testing. Delete if it is.
Testing complete mga2 32 with mysql, sqlite, postgresql9.1 Validating Advisory & srpm in comment 6 Could sysadmin please push from core/updates_testing to core/updates Thanks!
CC: (none) => sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: mga2-64-OK => mga2-64-OK mga2-32-OK has_procedure
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0366
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED