Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 519244 (CVE-2014-5249)

Summary: <www-apps/drupal-{6.33,7.31}: Denial of service (SA-CORE-2014-004) (CVE-2014-{5249,5250,5265,5266,5267,5268})
Product: Gentoo Security Reporter: MickKi <confabulate>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.drupal.org/SA-CORE-2014-004
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description MickKi 2014-08-06 19:35:55 UTC
Request for security bump to 7.31 and 6.33 due to DoS vulnerability.


Reproducible: Always

Actual Results:  
Drupal's xmlrpc.php is vulnerable to an XML entity expansion attack and other related XML payload attacks, which can cause CPU and memory exhaustion and the site's database to reach the maximum number of open connections, leading to DoS.


As a workaround and until an upgrade to >=7.31 or >=6.33, you can remove the xmlrpc.php file from the root of Drupal core (or add a rule to .htaccess to prevent access to xmlrpc.php) and disable the OpenID module if installed.
Comment 1 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2014-08-06 20:37:13 UTC
*** Bug 518346 has been marked as a duplicate of this bug. ***
Comment 2 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2014-08-14 13:00:23 UTC
12:59 < irker982> gentoo-x86: jmbsvicetto www-apps/drupal: Version bump - 6.33 and 7.31. Fixes bug 519244 - (SA-CORE-2014-004).

Bump done and old versions dropped.
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-08-14 13:03:41 UTC
Maintainers, thanks for your work.