Arch Linux Security Advisory ASA-201411-25 ========================================== Severity: Medium Date : 2014-11-20 CVE-ID : CVE-2014-9015 CVE-2014-9016 Package : drupal Type : session hijacking, denial of service Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package drupal before version 7.34-1 is vulnerable to multiple issues leading to session hijacking or denial of service. Resolution ========== Upgrade to 7.34-1. # pacman -Syu "drupal>=7.34-1" The problems have been fixed upstream in version 7.34. Workaround ========== None. Description =========== Custom configured session.inc and password.inc need to be audited as well to verify if they are prone to the following vulnerabilities. More information can be found in the upstream advisory [0]. - CVE-2014-9015 (session hijacking) Aaron Averill discovered that a specially crafted request can give a user access to another user's session, allowing an attacker to hijack a random session. - CVE-2014-9016 (denial of service) Michael Cullum, Javier Nieto and Andres Rojas Guerrero discovered that the password hashing API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive. Impact ====== A remote attacker is able to send specially crafted requests to hijack random sessions or exhaust the CPU and memory leading to denial of service. References ========== [0] https://www.drupal.org/SA-CORE-2014-006 https://access.redhat.com/security/cve/CVE-2014-9015 https://access.redhat.com/security/cve/CVE-2014-9016 http://seclists.org/oss-sec/2014/q4/697