Multiple vulnerabilities were fixed in the supported Drupal core versions 7(DRUPAL-SA-CORE-2013-001). * A reflected cross-site scripting vulnerability (XSS) was identified in certain Drupal JavaScript functions that pass unexpected user input into jQuery causing it to insert HTML into the page when the intended behavior is to select DOM elements. Multiple core and contributed modules are affected by this issue. * A vulnerability was identified that exposes the title or, in some cases, the content of nodes that the user should not have access to. * Drupal core provides the ability to have private files, including images. A vulnerability was identified in which derivative images (which Drupal automatically creates from these images based on "image styles" and which may differ, for example, in size or saturation) did not always receive the same protection. Under some circumstances, this would allow users to access image derivatives for images they should not be able to view. The drupal package was updated to latest version 7.19 to fix above vulnerabilities.
URL: (none) => http://drupal.org/SA-CORE-2013-001
Fedora has issued advisories for this: http://lwn.net/Vulnerabilities/534652/
SRPM: drupal-7.19-1.mga2.src.rpm -------------------------------- drupal drupal-mysql drupal-postgresql drupal-sqlite
For procedure see bug 8442
Whiteboard: (none) => has_procedure
Testing mga2 64
Testing complete drupal mga2 64 with mysql, postgresql & sqlite
Whiteboard: has_procedure => has_procedure mga2-64-ok
Testing i586 shortly.
CC: (none) => davidwhodgins
Testing complete on Mageia 2 i586. Could someone from the sysadmin team push the srpm drupal-7.19-1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Multiple vulnerabilities were fixed in the supported Drupal core versions 7(DRUPAL-SA-CORE-2013-001). * A reflected cross-site scripting vulnerability (XSS) was identified in certain Drupal JavaScript functions that pass unexpected user input into jQuery causing it to insert HTML into the page when the intended behavior is to select DOM elements. Multiple core and contributed modules are affected by this issue. * A vulnerability was identified that exposes the title or, in some cases, the content of nodes that the user should not have access to. * Drupal core provides the ability to have private files, including images. A vulnerability was identified in which derivative images (which Drupal automatically creates from these images based on "image styles" and which may differ, for example, in size or saturation) did not always receive the same protection. Under some circumstances, this would allow users to access image derivatives for images they should not be able to view. The drupal package was updated to latest version 7.19 to fix above vulnerabilities https://bugs.mageia.org/show_bug.cgi?id=8733
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok MGA2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0027
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED