drupal7 - security update

2014-11-2000:00:00

Google

osv.dev

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

JSON

Two vulnerabilities were discovered in Drupal, a fully-featured content
management framework. The Common Vulnerabilities and Exposures project
identifies the following issues:

CVE-2014-9015
Aaron Averill discovered that a specially crafted request can give a
user access to another user’s session, allowing an attacker to
hijack a random session.
CVE-2014-9016
Michael Cullum, Javier Nieto and Andres Rojas Guerrero discovered
that the password hashing API allows an attacker to send
specially crafted requests resulting in CPU and memory
exhaustion. This may lead to the site becoming unavailable or
unresponsive (denial of service).

Custom configured session.inc and password.inc need to be audited as
well to verify if they are prone to these vulnerabilities. More
information can be found in the upstream advisory at

For the stable distribution (wheezy), these problems have been fixed in
version 7.14-2+deb7u8.

We recommend that you upgrade your drupal7 packages.

CPENameOperatorVersion
drupal7eq7.14-2+deb7u2~bpo60+1
drupal7eq7.14-2+deb7u3
drupal7eq7.14-2+deb7u5
drupal7eq7.14-2+deb7u7
drupal7eq7.14-2+deb7u6~bpo60+1
drupal7eq7.14-2+deb7u4
drupal7eq7.14-2+deb7u7~bpo60+1
drupal7eq7.14-2+deb7u1
drupal7eq7.14-2
drupal7eq7.14-2+deb7u6

Name	Operator	Version
drupal7	eq	7.14-2+deb7u2~bpo60+1
drupal7	eq	7.14-2+deb7u3
drupal7	eq	7.14-2+deb7u5
drupal7	eq	7.14-2+deb7u7
drupal7	eq	7.14-2+deb7u6~bpo60+1
drupal7	eq	7.14-2+deb7u4
drupal7	eq	7.14-2+deb7u7~bpo60+1
drupal7	eq	7.14-2+deb7u1
drupal7	eq	7.14-2
drupal7	eq	7.14-2+deb7u6