Comment 1 Kristian Fiskerstrand (RETIRED) 2015-03-20 18:07:54 UTC

Versions affected
    Drupal core 6.x versions prior to 6.35
    Drupal core 7.x versions prior to 7.35

Solution
Install the latest version:
    If you use the Drupal 6.x, upgrade to Drupal core 6.35
    If you use the Drupal 7.x, upgrade to Drupal core 7.35


This package is not stable, so please cleanup and close after bump.

Comment 2 Jorge Manuel B. S. Vicetto (RETIRED) 2015-03-20 18:20:47 UTC

7.35 was done yesterday. I'll bump 6.35 later today.

Comment 3 Jorge Manuel B. S. Vicetto (RETIRED) 2015-03-21 23:32:06 UTC

23:28 < gentoovcs> jmbsvicetto → gentoo-x86 (www-apps/drupal/) Bump to 7.35 version that addresses SA-CORE-2015-001 - bug 543734.
23:30 < gentoovcs> jmbsvicetto → gentoo-x86 (www-apps/drupal/) Fix commit message - s/7.35/6.35/.

Bump and clean-up done, so I'm closing the bug as fixed.

Comment 4 GLSAMaker/CVETool Bot 2015-03-28 17:27:33 UTC

CVE-2015-2559 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2559):
  Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users
  to reset the password of other accounts by leveraging an account with the
  same password hash as another account and a crafted password reset URL.