This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours

Bug 888990 (CVE-2012-5651, CVE-2012-5652, CVE-2012-5653)

Summary: CVE-2012-5651 CVE-2012-5652 CVE-2012-5653 drupal: multiple flaws fixed in 6.27/7.18 (SA-CORE-2012-004)
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jlieskov, limburgher, peter.borsa, stickster, sven
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20121219,reported=20121219,source=debian,cvss2=5.1/AV:N/AC:H/Au:N/C:P/I:P/A:P,fedora-all/drupal6=affected,epel-all/drupal6=affected,fedora-all/drupal7=affected,epel-all/drupal7=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-07 04:11:16 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 888991, 888992, 888993, 888994    
Bug Blocks:    

Description Vincent Danen 2012-12-19 18:43:41 EST
Upstream Drupal has reported SA-CORE-2012-004 [1] which corrects multiple vulnerabilities:

1) Access bypass (User module search - Drupal 6 and 7)
2) Access bypass (Upload module - Drupal 6)
3) Arbitrary PHP code execution (File upload modules - Drupal 6 and 7)

CVEs have been requested and are not yet assigned.

These flaws have been fixed in Drupal 6.27 and 7.18.

[1] http://drupal.org/SA-CORE-2012-004
Comment 1 Vincent Danen 2012-12-19 18:47:16 EST
Created drupal7 tracking bugs for this issue

Affects: fedora-all [bug 888993]
Affects: epel-all [bug 888994]
Comment 2 Vincent Danen 2012-12-19 18:47:18 EST
Created drupal6 tracking bugs for this issue

Affects: fedora-all [bug 888991]
Affects: epel-all [bug 888992]
Comment 3 Vincent Danen 2012-12-20 12:37:50 EST
CVE assignments as per:

http://www.openwall.com/lists/oss-security/2012/12/20/1

CVE-2012-5651: Access bypass (User module search - Drupal 6 and 7)

CVE-2012-5652: Access bypass (Upload module - Drupal 6)

CVE-2012-5653: Arbitrary PHP code execution (File upload modules - Drupal 6 and 7)
Comment 5 Fedora Update System 2013-01-04 14:39:22 EST
drupal6-6.27-1.el6, drupal7-7.18-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2013-01-04 14:43:17 EST
drupal6-6.27-1.el5, drupal7-7.18-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2013-01-05 01:35:36 EST
drupal6-6.27-1.fc17, drupal7-7.18-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2013-01-05 01:36:21 EST
drupal6-6.27-1.fc16, drupal7-7.18-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.