Bug 8733 - [Update request] drupal 7.19 fixing multiple vulnerabilities
: [Update request] drupal 7.19 fixing multiple vulnerabilities
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://drupal.org/SA-CORE-2013-001
: has_procedure mga2-64-ok MGA2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-01-18 13:23 CET by Funda Wang
Modified: 2013-02-06 22:59 CET (History)
3 users (show)

See Also:
Source RPM: drupal-7.19-1.mga2
CVE:


Attachments

Description Funda Wang 2013-01-18 13:23:31 CET
Multiple vulnerabilities were fixed in the supported Drupal core versions 7(DRUPAL-SA-CORE-2013-001).

* A reflected cross-site scripting vulnerability (XSS) was identified in certain Drupal JavaScript functions that pass unexpected user input into jQuery causing it to insert HTML into the page when the intended behavior is to select DOM elements. Multiple core and contributed modules are affected by this issue.

* A vulnerability was identified that exposes the title or, in some cases, the content of nodes that the user should not have access to.

* Drupal core provides the ability to have private files, including images. A vulnerability was identified in which derivative images (which Drupal automatically creates from these images based on "image styles" and which may differ, for example, in size or saturation) did not always receive the same protection. Under some circumstances, this would allow users to access image derivatives for images they should not be able to view.

The drupal package was updated to latest version 7.19 to fix above vulnerabilities.
Comment 1 David Walser 2013-01-29 01:06:44 CET
Fedora has issued advisories for this:
http://lwn.net/Vulnerabilities/534652/
Comment 2 claire robinson 2013-01-31 12:30:11 CET
SRPM: drupal-7.19-1.mga2.src.rpm
--------------------------------
drupal
drupal-mysql
drupal-postgresql
drupal-sqlite
Comment 3 claire robinson 2013-01-31 12:31:45 CET
For procedure see bug 8442
Comment 4 claire robinson 2013-01-31 12:33:14 CET
Testing mga2 64
Comment 5 claire robinson 2013-01-31 13:24:08 CET
Testing complete drupal mga2 64 with mysql, postgresql & sqlite
Comment 6 Dave Hodgins 2013-02-02 04:02:34 CET
Testing i586 shortly.
Comment 7 Dave Hodgins 2013-02-02 04:40:02 CET
Testing complete on Mageia 2 i586.

Could someone from the sysadmin team push the srpm
drupal-7.19-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Multiple vulnerabilities were fixed in the supported Drupal core versions
7(DRUPAL-SA-CORE-2013-001).

* A reflected cross-site scripting vulnerability (XSS) was identified in
certain Drupal JavaScript functions that pass unexpected user input into jQuery
causing it to insert HTML into the page when the intended behavior is to select
DOM elements. Multiple core and contributed modules are affected by this issue.

* A vulnerability was identified that exposes the title or, in some cases, the
content of nodes that the user should not have access to.

* Drupal core provides the ability to have private files, including images. A
vulnerability was identified in which derivative images (which Drupal
automatically creates from these images based on "image styles" and which may
differ, for example, in size or saturation) did not always receive the same
protection. Under some circumstances, this would allow users to access image
derivatives for images they should not be able to view.

The drupal package was updated to latest version 7.19 to fix above
vulnerabilities

https://bugs.mageia.org/show_bug.cgi?id=8733
Comment 8 Thomas Backlund 2013-02-06 22:59:06 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0027

Note You need to log in before you can comment on or make changes to this bug.