Bug 1120641 (CVE-2014-5019, CVE-2014-5020, CVE-2014-5021, CVE-2014-5022)
Summary: | CVE-2014-5019 CVE-2014-5020 CVE-2014-5021 CVE-2014-5022 drupal7: multiple vulnerabilities (SA-CORE-2014-003) | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | ccoleman, dmcphers, gwync, jialiu, jokerman, kseifried, lmeyer, mmcallis, mmccomas, mmcgrath, peter.borsa, pgervase, security-response-team, shawn, stickster, vkaigoro |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | drupal 7.29 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-11-24 05:38:19 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1120642, 1120643, 1122837 | ||
Bug Blocks: |
Description
Vasyl Kaigorodov
2014-07-17 10:26:03 UTC
Created drupal7 tracking bugs for this issue: Affects: fedora-all [bug 1120642] Affects: epel-all [bug 1120643] MITRE assigned below CVEs for the specified issues: > Name: CVE-2014-5019 > The multisite feature in Drupal 6.x before 6.32 and 7.x before 7.29 > allows remote attackers to cause a denial of service via a crafted > HTTP Host header, related to determining which configuration file to > use. > Name: CVE-2014-5020 > The File module in Drupal 7.x before 7.29 does not properly check > permissions to view files, which allows remote authenticated users > with certain permissions to bypass intended restrictions and read > files by attaching the file to content with a file field. > Name: CVE-2014-5021 > Cross-site scripting (XSS) vulnerability in the Form API in Drupal 6.x > before 6.32 and possibly 7.x before 7.29 allows remote authenticated > users with the "administer taxonomy" permission to inject arbitrary > web script or HTML via an option group label. > Name: CVE-2014-5022 > Cross-site scripting (XSS) vulnerability in the Ajax system in Drupal > 7.x before 7.29 allows remote attackers to inject arbitrary web script > or HTML via vectors involving forms with an Ajax-enabled textfield and > a file field. Additional info: http://www.debian.org/security/2014/dsa-2983 (In reply to Vasyl Kaigorodov from comment #2) > MITRE assigned below CVEs for the specified issues: > > > Name: CVE-2014-5019 > > The multisite feature in Drupal 6.x before 6.32 and 7.x before 7.29 > > allows remote attackers to cause a denial of service via a crafted > > HTTP Host header, related to determining which configuration file to > > use. > > > Name: CVE-2014-5021 > > Cross-site scripting (XSS) vulnerability in the Form API in Drupal 6.x > > before 6.32 and possibly 7.x before 7.29 allows remote authenticated > > users with the "administer taxonomy" permission to inject arbitrary > > web script or HTML via an option group label. These should affect drupal6 in Fedora and EPEL; however, 6.32 is already in testing for those two. drupal7-7.29-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. drupal7-7.29-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. drupal7-7.31-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. drupal7-7.32-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. All dependent bugs have been closed and all dists have drupal7-7.32 in stable. Can this bug be closed? All dependent bugs have been closed and all dists have drupal7-7.32 in stable. Can this bug be closed? (In reply to Shawn Iwinski from comment #10) > All dependent bugs have been closed and all dists have drupal7-7.32 in > stable. Can this bug be closed? Yup, sorry for leaving this one open too. |