Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

[drupal7] CVE-2014-3704 - Drupal - pre Auth SQL Injection Vulnerability

Related Vulnerabilities: CVE-2014-3704  

Source

Debian Bug report logs - #765507
[drupal7] CVE-2014-3704 - Drupal - pre Auth SQL Injection Vulnerability

version graph

Package: drupal7; Maintainer for drupal7 is Gunnar Wolf <gwolf@debian.org>; Source for drupal7 is src:drupal7 (PTS, buildd, popcon).

Reported by: Ingo Juergensmann <ij@2013.bluespice.org>

Date: Wed, 15 Oct 2014 17:21:01 UTC

Severity: grave

Tags: fixed-upstream, security, upstream

Found in versions drupal7/7.14-2, drupal7/7.31-1

Fixed in versions drupal7/7.32-1~bpo70+1, drupal7/7.32-1, drupal7/7.14-2+deb7u7~bpo60+1, drupal7/7.14-2+deb7u7

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, secure-testing-team@lists.alioth.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#765507; Package drupal7. (Wed, 15 Oct 2014 17:21:07 GMT) (full text, mbox, link).

Acknowledgement sent to Ingo Juergensmann <ij@2013.bluespice.org>:
New Bug report received and forwarded. Copy sent to secure-testing-team@lists.alioth.debian.org, Luigi Gangitano <luigi@debian.org>. (Wed, 15 Oct 2014 17:21:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Ingo Juergensmann <ij@2013.bluespice.org>
To: submit@bugs.debian.org
Subject: [drupal7] CVE-2014-3704 - Drupal - pre Auth SQL Injection Vulnerability
Date: Wed, 15 Oct 2014 19:06:34 +0200
Package: drupal7
Version: 7.31-1
Severity: normal
Tags: security
X-Debbugs-CC: secure-testing-team@lists.alioth.debian.org

--- Please enter the report below this line. ---

Hi!

There's a security issue in all Drupal7 version <7.32. See:
- https://www.drupal.org/drupal-7.32-release-notes
- 
https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html

Please provide a new and fixed package. Thanks!


--- System information. ---
Architecture: amd64
Kernel:       Linux 3.16-2-amd64

Debian Release: jessie/sid
  500 unstable        www.deb-multimedia.org
  500 unstable        ftp.de.debian.org

--- Package information. ---
Depends                    (Version) | Installed
====================================-+-============
debconf                    (>= 0.5)  | 1.5.53
 OR debconf-2.0                      |
apache2                              | 2.4.10-5
 OR httpd                            |
php5                                 | 5.6.0+dfsg-1
php5-mysql                           | 5.6.0+dfsg-1+b1
 OR php5-pgsql                       | 5.6.0+dfsg-1+b1
 OR php5-sqlite                      | 5.6.0+dfsg-1+b1
php5-gd                              | 5.6.0+dfsg-1+b1
default-mta                          |
 OR mail-transport-agent             |
wwwconfig-common         (>= 0.0.37) | 0.2.2
mysql-client                         | 5.5.39-1
 OR virtual-mysql-client             |
 OR postgresql-client                | 9.4+162
dbconfig-common                      | 1.8.47+nmu1
curl                                 | 7.38.0-2


Recommends        (Version) | Installed
===========================-+-===========
mysql-server                | 5.5.39-1
 OR postgresql              | 9.4+162
 OR sqlite3                 | 3.8.6-1


Package's Suggests field is empty.




-- 
Ciao...            //      Fon: 0381-2744150
      Ingo       \X/       http://blog.windfluechter.net
Please don't share this address with Facebook or Google!
gpg pubkey: http://www.juergensmann.de/ij_public_key.asc

Reply sent to Gunnar Wolf <gwolf@gwolf.org>:
You have taken responsibility. (Fri, 17 Oct 2014 16:00:20 GMT) (full text, mbox, link).

Notification sent to Ingo Juergensmann <ij@2013.bluespice.org>:
Bug acknowledged by developer. (Fri, 17 Oct 2014 16:00:20 GMT) (full text, mbox, link).

Message #10 received at 765507-done@bugs.debian.org (full text, mbox, reply):

From: Gunnar Wolf <gwolf@gwolf.org>
To: 765507-done@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: [drupal7] CVE-2014-3704 - Drupal - pre Auth SQL Injection Vulnerability
Date: Fri, 17 Oct 2014 10:50:21 -0500
notfound 765507 7.32-1~bpo70+1
notfound 765507 7.32-1
notfound 765507 7.14-2+deb7u7
notfound 765507 7.14-2+deb7u6~bpo60+1
thanks

Version: 7.32-1

The fixed package was uploaded concurrently with this bug's
filing. Closing it by hand :)

Marked as found in versions drupal7/7.14-2 and reopened. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 17 Oct 2014 16:06:04 GMT) (full text, mbox, link).

Marked as fixed in versions drupal7/7.32-1~bpo70+1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 17 Oct 2014 16:06:05 GMT) (full text, mbox, link).

Marked as fixed in versions drupal7/7.32-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 17 Oct 2014 16:06:06 GMT) (full text, mbox, link).

Marked as fixed in versions drupal7/7.14-2+deb7u7. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 17 Oct 2014 16:06:07 GMT) (full text, mbox, link).

Marked Bug as done Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 17 Oct 2014 16:21:08 GMT) (full text, mbox, link).

Notification sent to Ingo Juergensmann <ij@2013.bluespice.org>:
Bug acknowledged by developer. (Fri, 17 Oct 2014 16:21:09 GMT) (full text, mbox, link).

Severity set to 'grave' from 'normal' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 17 Oct 2014 16:21:13 GMT) (full text, mbox, link).

Added tag(s) upstream and fixed-upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 17 Oct 2014 16:21:18 GMT) (full text, mbox, link).

Message sent on to Ingo Juergensmann <ij@2013.bluespice.org>:
Bug#765507. (Fri, 17 Oct 2014 16:21:26 GMT) (full text, mbox, link).

Message #29 received at 765507-submitter@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: control@bugs.debian.org
Cc: 765507-submitter@bugs.debian.org
Subject: closing 765507
Date: Fri, 17 Oct 2014 18:16:04 +0200
close 765507 7.32-1
thanks

Sorry for the reopen, tried to mark it with the fixed control command (vs.
notfound) to get the version tracking information right.

Marked as fixed in versions drupal7/7.14-2+deb7u7~bpo60+1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 17 Oct 2014 16:48:04 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 11 Jan 2015 07:25:05 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 19:25:38 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started