Mageia alert MGASA-2015-0121 (drupal)

From:
    	     
 
Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	     
 
updates-announce@ml.mageia.org 
Subject:
    	     
 
[updates-announce] MGASA-2015-0121: Updated drupal packages fix security vulnerabilities 
Date:
    	     
 
Fri, 27 Mar 2015 22:12:42 +0100
Message-ID:
    	     
 
<20150327211242.863D34106E@valstar.mageia.org>
MGASA-2015-0121 - Updated drupal packages fix security vulnerabilities

Publication date: 27 Mar 2015
URL: http://advisories.mageia.org/MGASA-2015-0121.html
Type: security
Affected Mageia releases: 4
CVE: CVE-2015-2559,
     CVE-2015-2749,
     CVE-2015-2750

Description:
Password reset URLs can be forged under certain circumstances, allowing an
attacker to gain access to another user's account without knowing the
account's password (CVE-2015-2559).

Under certain circumstances, malicious users can construct a URL that will
trick users into being redirected to a 3rd party website, thereby exposing
the users to potential social engineering attacks. In addition, several
URL-related API functions in Drupal 6 and 7 can be tricked into passing
through external URLs when not intending to, potentially leading to
additional open redirect vulnerabilities (CVE-2015-2749, CVE-2015-2750).

References:
- https://bugs.mageia.org/show_bug.cgi?id=15537
- https://www.drupal.org/SA-CORE-2015-001
- https://www.drupal.org/drupal-7.35
- https://www.drupal.org/drupal-7.35-release-notes
- http://openwall.com/lists/oss-security/2015/03/20/2
- http://openwall.com/lists/oss-security/2015/03/26/4
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2559
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2749
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2750

SRPMS:
- 4/core/drupal-7.35-1.mga4