Updated drupal packages fix security vulnerability
Publication date: 25 Oct 2014Modification date: 25 Oct 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-3704
Description
An SQL Injection issue exists in Drupal before 7.32 due to the way the Drupal core handles prepared statements. A malicious user can inject arbitrary SQL queries, and thereby completely control the Drupal site. This vulnerability can be exploited by remote attackers without any kind of authentication required (CVE-2014-3704).
References
- https://bugs.mageia.org/show_bug.cgi?id=14298
- https://www.drupal.org/SA-CORE-2014-005
- https://www.drupal.org/drupal-7.32
- https://www.drupal.org/drupal-7.32-release-notes
- http://www.sektioneins.com/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html
- http://www.debian.org/security/2014/dsa-3051
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704
SRPMS
4/core
- drupal-7.32-1.mga4
3/core
- drupal-7.32-1.mga3