MGASA-2012-0320
| Date: | November 1st, 2012 |
| Affected releases: | 2 |
Description:
Updated drupal packages fix security vulnerabilities:
Drupal core's text filtering system provides several features
including removing inappropriate HTML tags and automatically linking
content that appears to be a link. A pattern in Drupal's text
matching was found to be inefficient with certain specially crafted
strings. This vulnerability is mitigated by the fact that users must
have the ability to post content sent to the filter system such as a
role with the "post comments" or "Forum topic: Create new content"
permission (CVE-2012-1588).
Drupal core's Form API allows users to set a destination, but failed
to validate that the URL was internal to the site. This weakness
could be abused to redirect the login to a remote site with a
malicious script that harvests the login credentials and redirects to
the live site. This vulnerability is mitigated only by the end user's
ability to recognize a URL with malicious query parameters to avoid
the social engineering required to exploit the problem (CVE-2012-1589).
Drupal core's forum lists fail to check user access to nodes when
displaying them in the forum overview page. If an unpublished node was
the most recently updated in a forum then users who should not have
access to unpublished forum posts were still be able to see meta-data
about the forum post such as the post title (CVE-2012-1590).
Drupal core provides the ability to have private files, including
images, and Image Styles which create derivative images from an
original image that may differ, for example, in size or saturation.
Drupal core failed to properly terminate the page request for cached
image styles allowing users to access image derivatives for images
they should not be able to view. Furthermore, Drupal didn't set the
right headers to prevent image styles from being cached in the
browser (CVE-2012-1591).
Drupal core provides the ability to list nodes on a site at
admin/content. Drupal core failed to confirm a user viewing that page
had access to each node in the list. This vulnerability only concerns
sites running a contributed node access module and is mitigated by the
fact that users must have a role with the "Access the content overview
page" permission. Unpublished nodes were not displayed to users who
only had the "Access the content overview page" permission
(CVE-2012-2153).
The request_path function in includes/bootstrap.inc in Drupal 7.14 and
earlier allows remote attackers to obtain sensitive information via
the q[] parameter to index.php, which reveals the installation path in
an error message (CVE-2012-2922).
A bug in the installer code was identified that allows an attacker to
re-install Drupal using an external database server under certain
transient conditions. This could allow the attacker to execute
arbitrary PHP code on the original server (Drupal SA-CORE-2012-003).
For sites using the core OpenID module, an information disclosure
vulnerability was identified that allows an attacker to read files on
the local filesystem by attempting to log in to the site using a
malicious OpenID server (Drupal SA-CORE-2012-003).
Updated Packages:
drupal-7.16-1.mga2
drupal-mysql-7.16-1.mga2
drupal-postgresql-7.16-1.mga2
drupal-sqlite-7.16-1.mga2
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1588
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1589
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1590
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1591
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2153
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2922
http://drupal.org/node/1557938
http://drupal.org/node/1815912
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081721.html
https://bugs.mageia.org/show_bug.cgi?id=7944
