Can you please update the tree with the latest drupal versions 6.32 and 7.29. They are needed urgently to mitigate a number of security vulnerabilities. -- Regards, Mick Reproducible: Always
Versions affected Drupal core 6.x versions prior to 6.32. Drupal core 7.x versions prior to 7.29. No CVE have currently been assigned, but according to SA has been requested. Packages are not stabilized, changing whiteboard to ~3.
Drupal Advisory ID: DRUPAL-SA-CORE-2014-003 I've asked on the oss-sec if a CVE has been assigned for it.
09:45 < irker291> gentoo-x86: jmbsvicetto www-apps/drupal: Security bump for Drupal - fixes bug 517364 (SA-CORE-2014-003).
(In reply to Jorge Manuel B. S. Vicetto from comment #3) > 09:45 < irker291> gentoo-x86: jmbsvicetto www-apps/drupal: Security bump for > Drupal - fixes bug 517364 (SA-CORE-2014-003). Thanks. Please also clean up affected versions
(In reply to Kristian Fiskerstrand from comment #4) > (In reply to Jorge Manuel B. S. Vicetto from comment #3) > > 09:45 < irker291> gentoo-x86: jmbsvicetto www-apps/drupal: Security bump for > > Drupal - fixes bug 517364 (SA-CORE-2014-003). > > Thanks. Please also clean up affected versions Done. I thought I had done it at the same time, but failed to notice the affected versions weren't dropped.
Thanks. As these packages have not been stabilized closing noglsa. Will add the CVE identifiers once they show up for reference.
CVEs have now been assigned: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5019 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5020 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5021 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5022
Thank you all for looking into this. -- Regards, Mick
CVE-2014-5022 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5022): Cross-site scripting (XSS) vulnerability in the Ajax system in Drupal 7.x before 7.29 allows remote attackers to inject arbitrary web script or HTML via vectors involving forms with an Ajax-enabled textfield and a file field. CVE-2014-5021 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5021): Cross-site scripting (XSS) vulnerability in the Form API in Drupal 6.x before 6.32 and possibly 7.x before 7.29 allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via an option group label. CVE-2014-5020 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5020): The File module in Drupal 7.x before 7.29 does not properly check permissions to view files, which allows remote authenticated users with certain permissions to bypass intended restrictions and read files by attaching the file to content with a file field. CVE-2014-5019 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5019): The multisite feature in Drupal 6.x before 6.32 and 7.x before 7.29 allows remote attackers to cause a denial of service via a crafted HTTP Host header, related to determining which configuration file to use.
Only to mention that version 7.30 is out to fix a regression bug that was introduced with 7.29. -- Regards, Mick
(In reply to MickKi from comment #10) > Only to mention that version 7.30 is out to fix a regression bug that was > introduced with 7.29. Please open a new bug report if you want a revision bump for it. This bug was regarding the security issue and that is marked as fixed.
(In reply to Kristian Fiskerstrand from comment #11) > Please open a new bug report if you want a revision bump for it. This bug > was regarding the security issue and that is marked as fixed. Of course, please see: https://bugs.gentoo.org/show_bug.cgi?id=518346 -- Regards, Mick