Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 519244 (CVE-2014-5249) - <www-apps/drupal-{6.33,7.31}: Denial of service (SA-CORE-2014-004) (CVE-2014-{5249,5250,5265,5266,5267,5268})
Summary: <www-apps/drupal-{6.33,7.31}: Denial of service (SA-CORE-2014-004) (CVE-2014-...
Alias: CVE-2014-5249
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~3 [noglsa]
: 518346 (view as bug list)
Depends on:
Reported: 2014-08-06 19:35 UTC by MickKi
Modified: 2014-08-17 10:17 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description MickKi 2014-08-06 19:35:55 UTC
Request for security bump to 7.31 and 6.33 due to DoS vulnerability.

Reproducible: Always

Actual Results:  
Drupal's xmlrpc.php is vulnerable to an XML entity expansion attack and other related XML payload attacks, which can cause CPU and memory exhaustion and the site's database to reach the maximum number of open connections, leading to DoS.

As a workaround and until an upgrade to >=7.31 or >=6.33, you can remove the xmlrpc.php file from the root of Drupal core (or add a rule to .htaccess to prevent access to xmlrpc.php) and disable the OpenID module if installed.
Comment 1 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2014-08-06 20:37:13 UTC
*** Bug 518346 has been marked as a duplicate of this bug. ***
Comment 2 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2014-08-14 13:00:23 UTC
12:59 < irker982> gentoo-x86: jmbsvicetto www-apps/drupal: Version bump - 6.33 and 7.31. Fixes bug 519244 - (SA-CORE-2014-004).

Bump done and old versions dropped.
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-08-14 13:03:41 UTC
Maintainers, thanks for your work.