Please see SA-CORE-2015-001 describing drupal <6.35 and <7.35 vulnerabilities for Access Bypass (Password reset URLs) and Open Redirect (Several vectors including the "destination" URL parameter). Reproducible: Always
Versions affected Drupal core 6.x versions prior to 6.35 Drupal core 7.x versions prior to 7.35 Solution Install the latest version: If you use the Drupal 6.x, upgrade to Drupal core 6.35 If you use the Drupal 7.x, upgrade to Drupal core 7.35 This package is not stable, so please cleanup and close after bump.
7.35 was done yesterday. I'll bump 6.35 later today.
23:28 < gentoovcs> jmbsvicetto → gentoo-x86 (www-apps/drupal/) Bump to 7.35 version that addresses SA-CORE-2015-001 - bug 543734. 23:30 < gentoovcs> jmbsvicetto → gentoo-x86 (www-apps/drupal/) Fix commit message - s/7.35/6.35/. Bump and clean-up done, so I'm closing the bug as fixed.
CVE-2015-2559 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2559): Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset URL.