Bug 519244 (CVE-2014-5249)

Summary:	<www-apps/drupal-{6.33,7.31}: Denial of service (SA-CORE-2014-004) (CVE-2014-{5249,5250,5265,5266,5267,5268})
Product:	Gentoo Security	Reporter:	MickKi <confabulate>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	web-apps
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://www.drupal.org/SA-CORE-2014-004
Whiteboard:	~3 [noglsa]
Package list:		Runtime testing required:	---

Description MickKi 2014-08-06 19:35:55 UTC

Request for security bump to 7.31 and 6.33 due to DoS vulnerability.


Reproducible: Always

Actual Results:  
Drupal's xmlrpc.php is vulnerable to an XML entity expansion attack and other related XML payload attacks, which can cause CPU and memory exhaustion and the site's database to reach the maximum number of open connections, leading to DoS.


As a workaround and until an upgrade to >=7.31 or >=6.33, you can remove the xmlrpc.php file from the root of Drupal core (or add a rule to .htaccess to prevent access to xmlrpc.php) and disable the OpenID module if installed.

Comment 1 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure

2014-08-06 20:37:13 UTC

*** Bug 518346 has been marked as a duplicate of this bug. ***

Comment 2 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure

2014-08-14 13:00:23 UTC

12:59 < irker982> gentoo-x86: jmbsvicetto www-apps/drupal: Version bump - 6.33 and 7.31. Fixes bug 519244 - (SA-CORE-2014-004).

Bump done and old versions dropped.

Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev

2014-08-14 13:03:41 UTC

Maintainers, thanks for your work.