Updated drupal packages fix security vulnerabilities
Publication date: 27 Mar 2015Type: security
Affected Mageia releases : 4
CVE: CVE-2015-2559 , CVE-2015-2749 , CVE-2015-2750
Description
Password reset URLs can be forged under certain circumstances, allowing an attacker to gain access to another user's account without knowing the account's password (CVE-2015-2559). Under certain circumstances, malicious users can construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks. In addition, several URL-related API functions in Drupal 6 and 7 can be tricked into passing through external URLs when not intending to, potentially leading to additional open redirect vulnerabilities (CVE-2015-2749, CVE-2015-2750).
References
- https://bugs.mageia.org/show_bug.cgi?id=15537
- https://www.drupal.org/SA-CORE-2015-001
- https://www.drupal.org/drupal-7.35
- https://www.drupal.org/drupal-7.35-release-notes
- http://openwall.com/lists/oss-security/2015/03/20/2
- http://openwall.com/lists/oss-security/2015/03/26/4
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2559
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2749
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2750
SRPMS
4/core
- drupal-7.35-1.mga4