The upstream Drupal 6.33 and 7.31 releases fix the following issue: "" Drupal 6 and Drupal 7 include an XML-RPC endpoint which is publicly available (xmlrpc.php). The PHP XML parser used by this XML-RPC endpoint is vulnerable to an XML entity expansion attack and other related XML payload attacks which can cause CPU and memory exhaustion and the site's database to reach the maximum number of open connections. Any of these may lead to the site becoming unavailable or unresponsive (denial of service). All Drupal sites are vulnerable to this attack whether XML-RPC is used or not. In addition, a similar vulnerability exists in the core OpenID module (for sites that have this module enabled). "" Reference: https://www.drupal.org/SA-CORE-2014-004 CVE request: http://www.openwall.com/lists/oss-security/2014/08/07/1
Created drupal7 tracking bugs for this issue: Affects: fedora-all [bug 1127541] Affects: epel-all [bug 1127542]
Created drupal6 tracking bugs for this issue: Affects: fedora-all [bug 1127539] Affects: epel-all [bug 1127540]
MITRE assigned the following CVEs: CVE-2014-5265 to the denial of service issue: http://cgit.drupalcode.org/drupal/diff/includes/xmlrpc.inc?id=1849830 (This CVE also applies to WordPress, https://bugzilla.redhat.com/show_bug.cgi?id=1127547) CVE-2014-5266 to the "Skip parsing if there is an unreasonably large number of tags" issue in both xmlrpc.inc and xrds.inc: http://cgit.drupalcode.org/drupal/diff/includes/xmlrpc.inc?id=1849830 http://cgit.drupalcode.org/drupal/diff/modules/openid/xrds.inc?id=1849830 (This CVE also applies to WordPress, https://bugzilla.redhat.com/show_bug.cgi?id=1127547) CVE-2014-5267 to rejecting certain malformed XRDS documents: http://cgit.drupalcode.org/drupal/diff/modules/openid/xrds.inc?id=1849830
(In reply to Murray McAllister from comment #4) > MITRE assigned the following CVEs: > > CVE-2014-5265 to the denial of service issue: > > http://cgit.drupalcode.org/drupal/diff/includes/xmlrpc.inc?id=1849830 > > (This CVE also applies to WordPress, > https://bugzilla.redhat.com/show_bug.cgi?id=1127547) > > CVE-2014-5266 to the "Skip parsing if there is an unreasonably large number > of tags" issue in both xmlrpc.inc and xrds.inc: > > http://cgit.drupalcode.org/drupal/diff/includes/xmlrpc.inc?id=1849830 > http://cgit.drupalcode.org/drupal/diff/modules/openid/xrds.inc?id=1849830 > > (This CVE also applies to WordPress, > https://bugzilla.redhat.com/show_bug.cgi?id=1127547) > > CVE-2014-5267 to rejecting certain malformed XRDS documents: > > http://cgit.drupalcode.org/drupal/diff/modules/openid/xrds.inc?id=1849830 Reference: http://seclists.org/oss-sec/2014/q3/385
drupal7-7.31-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
drupal7-7.31-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
drupal7-7.31-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
drupal6-6.33-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
drupal6-6.33-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
drupal6-6.33-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
drupal7-7.32-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
All dependent bugs have been closed and all dists have drupal7-7.32 in stable. Can this bug be closed?