Mandriva Linux Security Advisory : drupal (MDVSA-2015:181)
High Nessus Plugin ID 82456
SynopsisThe remote Mandriva Linux host is missing one or more security updates.
DescriptionUpdated drupal packages fix security vulnerabilities :
An information disclosure vulnerability was discovered in Drupal before 7.27. When pages are cached for anonymous users, form state may leak between anonymous users. Sensitive or private information recorded for one anonymous user could thus be disclosed to other users interacting with the same form at the same time (CVE-2014-2983).
Multiple security issues in Drupal before 7.29, including a denial of service issue, an access bypass issue in the File module, and multiple cross-site scripting issues (CVE-2014-5019, CVE-2014-5020, CVE-2014-5021, CVE-2014-5022).
A denial of service issue exists in Drupal before 7.31, due to XML entity expansion in a publicly accessible XML-RPC endpoint.
A SQL Injection issue exists in Drupal before 7.32 due to the way the Drupal core handles prepared statements. A malicious user can inject arbitrary SQL queries, and thereby completely control the Drupal site.
This vulnerability can be exploited by remote attackers without any kind of authentication required (CVE-2014-3704).
Aaron Averill discovered that a specially crafted request can give a user access to another user's session, allowing an attacker to hijack a random session (CVE-2014-9015).
Michael Cullum, Javier Nieto and Andres Rojas Guerrero discovered that the password hashing API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service) (CVE-2014-9016). anonymous users (CVE-2014-9016).
Password reset URLs can be forged under certain circumstances, allowing an attacker to gain access to another user's account without knowing the account's password (CVE-2015-2559).
Under certain circumstances, malicious users can construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks. In addition, several URL-related API functions in Drupal 6 and 7 can be tricked into passing through external URLs when not intending to, potentially leading to additional open redirect vulnerabilities (CVE-2015-2749, CVE-2015-2750).
The drupal package has been updated to version 7.35 to fix this issue and other bugs. See the upstream advisory and release notes for more details.
SolutionUpdate the affected packages.