Bug 9277 - drupal new security issue fixed in 7.20
: drupal new security issue fixed in 7.20
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/541559/
: has_procedure mga2-64-ok mga2-32-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-03-06 19:48 CET by David Walser
Modified: 2013-05-02 19:34 CEST (History)
2 users (show)

See Also:
Source RPM: drupal
CVE:
Status comment:


Attachments

Description David Walser 2013-03-06 19:48:47 CET
Drupal has released 7.20 to fix upstream advisory SA-CORE-2013-002:
http://drupal.org/drupal-7.20-release-notes

Fedora has issued an advisory on February 23:
http://lists.fedoraproject.org/pipermail/package-announce/2013-March/099663.html

Funda has built drupal 7.20 in Mageia 2 updates_testing, but not filed a bug.

Is this ready for QA?

Reproducible: 

Steps to Reproduce:
Comment 1 Funda Wang 2013-04-25 04:57:18 CEST
Yes, please test it.
Comment 2 claire robinson 2013-04-25 10:51:39 CEST
Need an advisory please.
Comment 3 David Walser 2013-04-25 15:26:26 CEST
Thanks Funda.

Advisory:
========================

Updated drupal packages fix security vulnerability:

Drupal core's Image module allows for the on-demand generation of image
derivatives. This capability can be abused by requesting a large number of
new derivatives which can fill up the server disk space, and which can cause
a very high CPU load. Either of these effects may lead to the site becoming
unavailable or unresponsive (CVE-2013-0316).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0316
http://drupal.org/SA-CORE-2013-002
http://drupal.org/drupal-7.20-release-notes
http://lists.fedoraproject.org/pipermail/package-announce/2013-March/099663.html
========================

Updated packages in core/updates_testing:
========================
drupal-7.20-1.mga2
drupal-mysql-7.20-1.mga2
drupal-postgresql-7.20-1.mga2
drupal-sqlite-7.20-1.mga2

from drupal-7.20-1.mga2.src.rpm
Comment 4 claire robinson 2013-05-02 16:52:26 CEST
Testing mga2 64

Procedure in bug 8442
Comment 5 claire robinson 2013-05-02 17:19:17 CEST
Testing complete mga2 64
Comment 6 claire robinson 2013-05-02 18:05:08 CEST
Testing mga2 32
Comment 7 claire robinson 2013-05-02 18:45:54 CEST
Testing complete mga2 32

Validating

Advisory and SRPM in comment 3

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 8 Thomas Backlund 2013-05-02 19:34:19 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0135

Note You need to log in before you can comment on or make changes to this bug.