Gunnar Wolf uploaded new packages for Drupal7 which fixed the following security problems: CVE 2014-3704 / SA-CORE-2014-005: Highly critical: Pre Auth SQL injection The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys. https://www.drupal.org/SA-CORE-2014-005 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704 https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html For the squeeze-backports distribution the problems have been fixed in version 7.14-2+deb7u7~bpo60+1. For the wheezy-backports distribution the problems have been fixed in version 7.32-1~bpo70+1.
Attachment:
signature.asc
Description: Digital signature