Updated drupal packages fix security vulnerabilities
Publication date: 27 Mar 2015Modification date: 27 Mar 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2015-2559 , CVE-2015-2749 , CVE-2015-2750
Description
Password reset URLs can be forged under certain circumstances, allowing an
attacker to gain access to another user's account without knowing the
account's password (CVE-2015-2559).
Under certain circumstances, malicious users can construct a URL that will
trick users into being redirected to a 3rd party website, thereby exposing
the users to potential social engineering attacks. In addition, several
URL-related API functions in Drupal 6 and 7 can be tricked into passing
through external URLs when not intending to, potentially leading to
additional open redirect vulnerabilities (CVE-2015-2749, CVE-2015-2750).
References
- https://bugs.mageia.org/show_bug.cgi?id=15537
- https://www.drupal.org/SA-CORE-2015-001
- https://www.drupal.org/drupal-7.35
- https://www.drupal.org/drupal-7.35-release-notes
- http://openwall.com/lists/oss-security/2015/03/20/2
- http://openwall.com/lists/oss-security/2015/03/26/4
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2559
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2749
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2750
SRPMS
4/core
- drupal-7.35-1.mga4