Mageia Bugzilla – Bug 8442
[Update Request] Update drupal into latest version 7.x series
Last modified: 2012-12-26 20:01:21 CET
Security vulnerabilities have been found in drupal shipped in Mageia 2 and its updates media:
SA-CORE-2012-004 - Drupal core - Multiple vulnerabilities:
* A vulnerability was identified that allows blocked users to appear in user search results, even when the search results are viewed by unprivileged users.
* A vulnerability was identified that allows information about uploaded files to be displayed in RSS feeds and search results to users that do not have the "view uploaded files" permission.
* Drupal core's file upload feature blocks the upload of many files that can be executed on the server by munging the filename. A malicious user could name a file in a manner that bypasses this munging of the filename in Drupal's input validation.
The drupal package has been updated to latest version 7.18 to fix above vulnerabilities.
Tested mga2 64 with mysql OK
Installed and configured. Added an article and basic post with images.
Updated and all still seems fine, can add content and upload images.
Old content is still OK
sqlite and postgresql still to do
Testing complete mga2 64 with sqlite
Note to other testers. Between installs you need to 'rm -rf /etc/drupal' to make a clean install.
Testing complete mga2 64
Postgresql install is a bit unusual so leaving some info to help..
# systemctl start postgresql.service
# su - postgres
$ createuser --pwprompt --encrypted --no-createrole --no-createdb drupal
Enter password for new role:
Enter it again:
Shall the new role be a superuser? (y/n) n
The INSTALL.pgsql.txt file still needs updating here as it gives an error on the next command.
$ createdb --encoding=UTF8 --owner=drupal drupal
It's necessary to use --template=template0 as below
$ createdb --encoding=UTF8 --template=template0 --owner=drupal drupal
Exit back to root
Other than this, the README.urpmi (the text displayed on install) can be followed.
As seen here, CVEs have been assigned:
CVE-2012-5651 for the access bypass in User module search.
CVE-2012-5653 for the arbitrary PHP code execution.
Note that the note about the access bypass in the upload module shouldn't be included in our advisory, as it only affects Drupal 6.
Updated drupal packages fix security vulnerabilities:
A vulnerability was identified that allows blocked users to appear in user
search results, even when the search results are viewed by unprivileged
Drupal core's file upload feature blocks the upload of many files that can be
executed on the server by munging the filename. A malicious user could name a
file in a manner that bypasses this munging of the filename in Drupal's input
The drupal package has been updated to latest version 7.18 to fix above
Updated packages in core/updates_testing:
Testing mga2 32
Note for next time. It's also necessary to..
if it's been used before as it's symlinked from /etc/drupal and rm -rf /etc/drupal leaves the old sqlite database behind.
Also as postgres user 'dropdb drupal' when finished.
If postgresql*-server won't start, check /var/log/postgres/postgresql isn't owned by firebird:firebird from previous testing. Delete if it is.
Testing complete mga2 32 with mysql, sqlite, postgresql9.1
Advisory & srpm in comment 6
Could sysadmin please push from core/updates_testing to core/updates