Upstream fixed 2 Moderate and 2 Critical impact issues in Drupal 7.29. More details: https://www.drupal.org/SA-CORE-2014-003 No CVEs are assigned so far.
Created drupal7 tracking bugs for this issue: Affects: fedora-all [bug 1120642] Affects: epel-all [bug 1120643]
MITRE assigned below CVEs for the specified issues: > Name: CVE-2014-5019 > The multisite feature in Drupal 6.x before 6.32 and 7.x before 7.29 > allows remote attackers to cause a denial of service via a crafted > HTTP Host header, related to determining which configuration file to > use. > Name: CVE-2014-5020 > The File module in Drupal 7.x before 7.29 does not properly check > permissions to view files, which allows remote authenticated users > with certain permissions to bypass intended restrictions and read > files by attaching the file to content with a file field. > Name: CVE-2014-5021 > Cross-site scripting (XSS) vulnerability in the Form API in Drupal 6.x > before 6.32 and possibly 7.x before 7.29 allows remote authenticated > users with the "administer taxonomy" permission to inject arbitrary > web script or HTML via an option group label. > Name: CVE-2014-5022 > Cross-site scripting (XSS) vulnerability in the Ajax system in Drupal > 7.x before 7.29 allows remote attackers to inject arbitrary web script > or HTML via vectors involving forms with an Ajax-enabled textfield and > a file field. Additional info: http://www.debian.org/security/2014/dsa-2983
(In reply to Vasyl Kaigorodov from comment #2) > MITRE assigned below CVEs for the specified issues: > > > Name: CVE-2014-5019 > > The multisite feature in Drupal 6.x before 6.32 and 7.x before 7.29 > > allows remote attackers to cause a denial of service via a crafted > > HTTP Host header, related to determining which configuration file to > > use. > > > Name: CVE-2014-5021 > > Cross-site scripting (XSS) vulnerability in the Form API in Drupal 6.x > > before 6.32 and possibly 7.x before 7.29 allows remote authenticated > > users with the "administer taxonomy" permission to inject arbitrary > > web script or HTML via an option group label. These should affect drupal6 in Fedora and EPEL; however, 6.32 is already in testing for those two.
drupal7-7.29-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
drupal7-7.29-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
drupal7-7.31-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
drupal7-7.32-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
All dependent bugs have been closed and all dists have drupal7-7.32 in stable. Can this bug be closed?
(In reply to Shawn Iwinski from comment #10) > All dependent bugs have been closed and all dists have drupal7-7.32 in > stable. Can this bug be closed? Yup, sorry for leaving this one open too.