From Mageia wiki
Revision as of 20:09, 6 February 2013 by Tmb (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

MGASA-2013-0027

Date: February 6th, 2013
Affected releases: 2
Media: Core


Description:
Multiple vulnerabilities were fixed in the supported Drupal core version 7
(DRUPAL-SA-CORE-2013-001).

A reflected cross-site scripting vulnerability (XSS) was identified in
certain Drupal JavaScript functions that pass unexpected user input into
jQuery causing it to insert HTML into the page when the intended behavior
is to select DOM elements. Multiple core and contributed modules are
affected by this issue.

A vulnerability was identified that exposes the title or, in some cases,
the content of nodes that the user should not have access to.

Drupal core provides the ability to have private files, including images.
A vulnerability was identified in which derivative images (which Drupal
automatically creates from these images based on "image styles" and which
may differ, for example, in size or saturation) did not always receive the
same protection. Under some circumstances, this would allow users to access
image derivatives for images they should not be able to view.

The drupal package was updated to latest version 7.19 to fix above
vulnerabilities.


Updated Packages:
i586:
drupal-7.19-1.mga2.noarch.rpm
drupal-mysql-7.19-1.mga2.noarch.rpm
drupal-postgresql-7.19-1.mga2.noarch.rpm
drupal-sqlite-7.19-1.mga2.noarch.rpm

x86_64:
drupal-7.19-1.mga2.noarch.rpm
drupal-mysql-7.19-1.mga2.noarch.rpm
drupal-postgresql-7.19-1.mga2.noarch.rpm
drupal-sqlite-7.19-1.mga2.noarch.rpm

SRPMS:
drupal-7.19-1.mga2.src.rpm


References:
https://bugs.mageia.org/show_bug.cgi?id=8733