Drupal 6.29 and 7.24 were released November 20th and with it SA-CORE-2013-003 which describes the following: Affecting both Drupal 6.x and 7.x: * Multiple vulnerabilities due to optimistic cross-site request forgery protection (Form API validation - Drupal 6 and 7) * Multiple vulnerabilities due to weakness in pseudorandom number generation using mt_rand() (Form API, OpenID and random password generation - Drupal 6 and 7) * Code execution prevention (Files directory .htaccess for Apache - Drupal 6 and 7) * Access bypass (Security token validation - Drupal 6 and 7) Affecting only Drupal 7.x: * Cross-site scripting (Image module - Drupal 7) * Cross-site scripting (Color module - Drupal 7) * Open redirect (Overlay module - Drupal 7) CVEs have not yet been assigned. External Reference: https://drupal.org/SA-CORE-2013-003
Created drupal7 tracking bugs for this issue: Affects: fedora-all [bug 1033761] Affects: epel-all [bug 1033762]
Created drupal6 tracking bugs for this issue: Affects: fedora-all [bug 1033759] Affects: epel-all [bug 1033760]
duplicate of 1032973 ?
*** This bug has been marked as a duplicate of bug 1032973 ***
Probably should have been closed the other way around. Please let SRT handle that next time.