A flaw was found in Drupal 7. When using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability.
This vulnerability is mitigated by the fact that it only occurs for unusual site configurations.
Created drupal7 tracking bugs for this issue:
Affects: epel-all [bug 1548195]
Affects: fedora-all [bug 1548194]
All dependent bugs have been closed. Can this tracking bug be closed as well?
In reply to comment #2:
> All dependent bugs have been closed. Can this tracking bug be closed as
drupal6-6.38-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.