Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 517364 (CVE-2014-5019) - <www-apps/drupal-{6.32,7.29}: Multiple vulnerabilities (CVE-2014-{5019,5020,5021,5022})
Summary: <www-apps/drupal-{6.32,7.29}: Multiple vulnerabilities (CVE-2014-{5019,5020,5...
Status: RESOLVED FIXED
Alias: CVE-2014-5019
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.drupal.org/SA-CORE-2014-003
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-07-17 20:46 UTC by MickKi
Modified: 2014-07-27 22:01 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description MickKi 2014-07-17 20:46:18 UTC
Can you please update the tree with the latest drupal versions 6.32 and 7.29.  They are needed urgently to mitigate a number of security vulnerabilities.
-- 
Regards,
Mick

Reproducible: Always
Comment 1 Kristian Fiskerstrand gentoo-dev Security 2014-07-17 21:00:32 UTC
Versions affected
    Drupal core 6.x versions prior to 6.32.
    Drupal core 7.x versions prior to 7.29.

No CVE have currently been assigned, but according to SA has been requested. 

Packages are not stabilized, changing whiteboard to ~3.
Comment 2 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2014-07-21 08:30:27 UTC
Drupal Advisory ID: DRUPAL-SA-CORE-2014-003

I've asked on the oss-sec if a CVE has been assigned for it.
Comment 3 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2014-07-21 09:46:36 UTC
09:45 < irker291> gentoo-x86: jmbsvicetto www-apps/drupal: Security bump for Drupal - fixes bug 517364 (SA-CORE-2014-003).
Comment 4 Kristian Fiskerstrand gentoo-dev Security 2014-07-21 10:33:17 UTC
(In reply to Jorge Manuel B. S. Vicetto from comment #3)
> 09:45 < irker291> gentoo-x86: jmbsvicetto www-apps/drupal: Security bump for
> Drupal - fixes bug 517364 (SA-CORE-2014-003).

Thanks. Please also clean up affected versions
Comment 5 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2014-07-22 00:39:38 UTC
(In reply to Kristian Fiskerstrand from comment #4)
> (In reply to Jorge Manuel B. S. Vicetto from comment #3)
> > 09:45 < irker291> gentoo-x86: jmbsvicetto www-apps/drupal: Security bump for
> > Drupal - fixes bug 517364 (SA-CORE-2014-003).
> 
> Thanks. Please also clean up affected versions

Done. I thought I had done it at the same time, but failed to notice the affected versions weren't dropped.
Comment 6 Kristian Fiskerstrand gentoo-dev Security 2014-07-22 21:08:04 UTC
Thanks. As these packages have not been stabilized closing noglsa. Will add the CVE identifiers once they show up for reference.
Comment 8 MickKi 2014-07-23 11:08:00 UTC
Thank you all for looking into this.
-- 
Regards,
Mick
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2014-07-24 14:10:58 UTC
CVE-2014-5022 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5022):
  Cross-site scripting (XSS) vulnerability in the Ajax system in Drupal 7.x
  before 7.29 allows remote attackers to inject arbitrary web script or HTML
  via vectors involving forms with an Ajax-enabled textfield and a file field.

CVE-2014-5021 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5021):
  Cross-site scripting (XSS) vulnerability in the Form API in Drupal 6.x
  before 6.32 and possibly 7.x before 7.29 allows remote authenticated users
  with the "administer taxonomy" permission to inject arbitrary web script or
  HTML via an option group label.

CVE-2014-5020 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5020):
  The File module in Drupal 7.x before 7.29 does not properly check
  permissions to view files, which allows remote authenticated users with
  certain permissions to bypass intended restrictions and read files by
  attaching the file to content with a file field.

CVE-2014-5019 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5019):
  The multisite feature in Drupal 6.x before 6.32 and 7.x before 7.29 allows
  remote attackers to cause a denial of service via a crafted HTTP Host
  header, related to determining which configuration file to use.
Comment 10 MickKi 2014-07-27 12:09:02 UTC
Only to mention that version 7.30 is out to fix a regression bug that was introduced with 7.29.
-- 
Regards,
Mick
Comment 11 Kristian Fiskerstrand gentoo-dev Security 2014-07-27 20:23:12 UTC
(In reply to MickKi from comment #10)
> Only to mention that version 7.30 is out to fix a regression bug that was
> introduced with 7.29.

Please open a new bug report if you want a revision bump for it. This bug was regarding the security issue and that is marked as fixed.
Comment 12 MickKi 2014-07-27 22:01:35 UTC
(In reply to Kristian Fiskerstrand from comment #11)

> Please open a new bug report if you want a revision bump for it. This bug
> was regarding the security issue and that is marked as fixed.

Of course, please see:

https://bugs.gentoo.org/show_bug.cgi?id=518346
-- 
Regards,
Mick