CVE-2014-9016 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9016): The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted request. CVE-2014-9015 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9015): Drupal 6.x before 6.34 and 7.x before 7.34 allows remote attackers to hijack sessions via a crafted request, as demonstrated by a crafted request to a server that supports both HTTP and HTTPS sessions.
Tracking bug for CVEs. Versions were already bumped by maintainers and vulnerable versions were dropped. Closing noglsa for ~arch only.