Articles / Debian: New drupal6 package…

Debian: New drupal6 packages fix several vulnerabilities

Several vulnerabilities have been found in drupal6, a fully-featured content management framework. A flaw in the way user signatures are handled allows a user to inject arbitrary code via a crafted user signature. A cross-site scripting issue in the forum module could be exploited via the tid parameter. Certain drupal6 pages leak sensible information such as user credentials. Several design flaws in the OpenID module have been fixed, which could lead to cross-site request forgeries or privilege escalations. Updated packages are available from security.debian.org.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1930-1                  security@debian.org
http://www.debian.org/security/                      Steffen Joeris
November 07, 2009                   http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : drupal6                           
Vulnerability  : several vulnerabilities           
Problem type   : remote                            
Debian-specific: no                                
CVE IDs        : CVE-2009-2372 CVE-2009-2373 CVE-2009-2374
Debian Bug     : 535435 547140                            


Several vulnerabilities have been found in drupal6, a fully-featured
content management framework. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2009-2372

Gerhard Killesreiter discovered a flaw in the way user signatures are
handled. It is possible for a user to inject arbitrary code via a
crafted user signature. (SA-CORE-2009-007)

CVE-2009-2373

Mark Piper, Sven Herrmann and Brandon Knight discovered a cross-site
scripting issue in the forum module, which could be exploited via the
tid parameter. (SA-CORE-2009-007)

CVE-2009-2374

Sumit Datta discovered that certain drupal6 pages leak sensible
information such as user credentials. (SA-CORE-2009-007)


Several design flaws in the OpenID module have been fixed, which could
lead to cross-site request forgeries or privilege escalations. Also, the
file upload function does not process all extensions properly leading
to the possible execution of arbitrary code.
(SA-CORE-2009-008)


For the stable distribution (lenny), these problems have been fixed in
version 6.6-3lenny3.

The oldstable distribution (etch) does not contain drupal6.

For the testing distribution (squeeze) and the unstable distribution
(sid), these problems have been fixed in version 6.14-1.


We recommend that you upgrade your drupal6 packages.


Upgrade instructions
- --------------------

wget url
       will fetch the file for you
dpkg -i file.deb
       will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
       will update the internal database
apt-get upgrade
       will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

 http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny3.dsc
   Size/MD5 checksum:     1130 489d56336053311b1ee24aaf17f41ffb
 http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny3.diff.gz
   Size/MD5 checksum:    24870 d70dfad8a6f211cb9dd62e071e5ddfd9
 http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6.orig.tar.gz
   Size/MD5 checksum:  1071507 caaa55d1990b34dee48f5047ce98e2bb

Architecture independent packages:

 http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny3_all.deb
   Size/MD5 checksum:  1088258 6162b6933d636065c6a07e6f6199c7df


 These files will probably be moved into the stable distribution on
 its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkr0wzIACgkQ62zWxYk/rQegCACfaCVMO8lrhfH/57iPLCgFOkp5
5ykAnifSZR4vet+YNDY3Z6vOiTSgUe/0
=o5XE
-----END PGP SIGNATURE-----
Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.