Upstream Drupal has reported SA-CORE-2012-004 [1] which corrects multiple vulnerabilities: 1) Access bypass (User module search - Drupal 6 and 7) 2) Access bypass (Upload module - Drupal 6) 3) Arbitrary PHP code execution (File upload modules - Drupal 6 and 7) CVEs have been requested and are not yet assigned. These flaws have been fixed in Drupal 6.27 and 7.18. [1] http://drupal.org/SA-CORE-2012-004
Created drupal7 tracking bugs for this issue Affects: fedora-all [bug 888993] Affects: epel-all [bug 888994]
Created drupal6 tracking bugs for this issue Affects: fedora-all [bug 888991] Affects: epel-all [bug 888992]
CVE assignments as per: http://www.openwall.com/lists/oss-security/2012/12/20/1 CVE-2012-5651: Access bypass (User module search - Drupal 6 and 7) CVE-2012-5652: Access bypass (Upload module - Drupal 6) CVE-2012-5653: Arbitrary PHP code execution (File upload modules - Drupal 6 and 7)
1) References for CVE-2012-5651: --------------------------------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5651 http://www.openwall.com/lists/oss-security/2012/12/20/1 http://drupal.org/SA-CORE-2012-004 http://drupalcode.org/project/drupal.git/commitdiff/b47f95d http://drupalcode.org/project/drupal.git/commitdiff/da8023a http://www.securityfocus.com/bid/56993 http://www.osvdb.org/88528 http://xforce.iss.net/xforce/xfdb/80792 2) References for CVE-2012-5652: -------------------------------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5652 http://www.openwall.com/lists/oss-security/2012/12/20/1 http://drupal.org/SA-CORE-2012-004 http://drupalcode.org/project/drupal.git/commitdiff/da8023a http://www.securityfocus.com/bid/56993 http://osvdb.org/88527 http://secunia.com/advisories/51517 http://xforce.iss.net/xforce/xfdb/80794 3) References for CVE-2012-5653: --------------------------------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5653 http://www.openwall.com/lists/oss-security/2012/12/20/1 http://drupal.org/SA-CORE-2012-004 http://drupalcode.org/project/drupal.git/commitdiff/b47f95d http://drupalcode.org/project/drupal.git/commitdiff/da8023a http://www.securityfocus.com/bid/56993 http://osvdb.org/88529 http://xforce.iss.net/xforce/xfdb/80795
drupal6-6.27-1.el6, drupal7-7.18-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
drupal6-6.27-1.el5, drupal7-7.18-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
drupal6-6.27-1.fc17, drupal7-7.18-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
drupal6-6.27-1.fc16, drupal7-7.18-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.