Stefan Horst discovered a pre-authenticated SQL injection flaw in Drupal. This could lead to code execution and privilege escalation. Upstream patch: https://www.drupal.org/files/issues/SA-CORE-2014-005-D7.patch This issue has been fixed in Drupal 7.32. Version 7.32 is an updates candidate in Fedora and EPEL. References: https://www.drupal.org/SA-CORE-2014-005 http://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html
Created drupal7 tracking bugs for this issue: Affects: fedora-all [bug 1153403] Affects: epel-all [bug 1153404]
drupal7-7.32-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
drupal7-7.32-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
drupal7-7.32-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
drupal7-7.32-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
drupal7-7.32-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
All dependent bugs have been closed and all dists have drupal7-7.32 in stable. Can this bug be closed?
(In reply to Shawn Iwinski from comment #8) > All dependent bugs have been closed and all dists have drupal7-7.32 in > stable. Can this bug be closed? Yes, sorry for leaving it open!