Debian Bug report logs - #535435
[drupal6] SA-CORE-2009-007 - Drupal core - Multiple vulnerabilities

version graph

Package: drupal6; Maintainer for drupal6 is Luigi Gangitano <luigi@debian.org>;

Reported by: Ingo Juergensmann <ij@2009.bluespice.org>

Date: Thu, 2 Jul 2009 05:15:01 UTC

Severity: serious

Tags: security

Fixed in version drupal6/6.12-1.1

Done: Nico Golde <nion@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, secure-testing-team@lists.alioth.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#535435; Package drupal6. (Thu, 02 Jul 2009 05:15:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ingo Juergensmann <ij@2009.bluespice.org>:
New Bug report received and forwarded. Copy sent to secure-testing-team@lists.alioth.debian.org, Luigi Gangitano <luigi@debian.org>. (Thu, 02 Jul 2009 05:15:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Ingo Juergensmann <ij@2009.bluespice.org>
To: submit@bugs.debian.org
Subject: [drupal6] SA-CORE-2009-007 - Drupal core - Multiple vulnerabilities
Date: Thu, 02 Jul 2009 07:13:47 +0200
Package: drupal6
Severity: serious
Tags: security
X-Debbugs-CC: secure-testing-team@lists.alioth.debian.org

--- Please enter the report below this line. ---

Please upgrade Drupal6 because of the latest Drupal Core SA. Drupal5
seems to be affected as well.

- http://drupal.org/drupal-6.13
- http://drupal.org/node/507572

Thanks!
Ingo

--- System information. ---
Architecture: i386
Kernel:       Linux 2.6.30-1-686

Debian Release: squeeze/sid
  500 unstable        www.debian-multimedia.org
  500 unstable        ftp2.de.debian.org

--- Package information. ---
Package's Depends field is empty.

Package's Recommends field is empty.

Package's Suggests field is empty.




-- 
Ciao...            //      Fon: 0381-2744150
      Ingo       \X/       http://blog.windfluechter.net

gpg pubkey: http://www.juergensmann.de/ij_public_key.asc




Bug 535435 cloned as bug 535476. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Thu, 02 Jul 2009 14:06:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#535435; Package drupal6. (Mon, 06 Jul 2009 18:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Luigi Gangitano <luigi@debian.org>. (Mon, 06 Jul 2009 18:42:03 GMT) Full text and rfc822 format available.

Message #12 received at 535435@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 535435@bugs.debian.org
Subject: intent to NMU
Date: Mon, 6 Jul 2009 20:31:55 +0200
[Message part 1 (text/plain, inline)]
Hi,
attached is a patch for a 0-day NMU to fix this issue.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[drupal6-6.12-1_6.12-1.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (Mon, 06 Jul 2009 19:09:04 GMT) Full text and rfc822 format available.

Notification sent to Ingo Juergensmann <ij@2009.bluespice.org>:
Bug acknowledged by developer. (Mon, 06 Jul 2009 19:09:04 GMT) Full text and rfc822 format available.

Message #17 received at 535435-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 535435-close@bugs.debian.org
Subject: Bug#535435: fixed in drupal6 6.12-1.1
Date: Mon, 06 Jul 2009 18:47:06 +0000
Source: drupal6
Source-Version: 6.12-1.1

We believe that the bug you reported is fixed in the latest version of
drupal6, which is due to be installed in the Debian FTP archive:

drupal6_6.12-1.1.diff.gz
  to pool/main/d/drupal6/drupal6_6.12-1.1.diff.gz
drupal6_6.12-1.1.dsc
  to pool/main/d/drupal6/drupal6_6.12-1.1.dsc
drupal6_6.12-1.1_all.deb
  to pool/main/d/drupal6/drupal6_6.12-1.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 535435@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated drupal6 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 06 Jul 2009 20:27:45 +0200
Source: drupal6
Binary: drupal6
Architecture: source all
Version: 6.12-1.1
Distribution: unstable
Urgency: high
Maintainer: Luigi Gangitano <luigi@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 drupal6    - a fully-featured content management framework
Closes: 535435
Changes: 
 drupal6 (6.12-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Apply upstream patch to fix:
     - XSS in the forum module
     - Input format access bypass via signatures
     - Password leakage via URLs
     (no CVE id yet; SA-CORE-2009-007; Closes: #535435).
Checksums-Sha1: 
 17d15b7f2a75323699eb0c3e5b2f65c12c6603a1 1123 drupal6_6.12-1.1.dsc
 4fb635dce0d43abf59f7f38321375193ea1cce71 19216 drupal6_6.12-1.1.diff.gz
 bcf7223c6361e0cda7e4f99b43489119779f6805 1109796 drupal6_6.12-1.1_all.deb
Checksums-Sha256: 
 474e83e44300133542decc2e48598d4c94f9bdf4c2bee74fa998df76ddaa3ccc 1123 drupal6_6.12-1.1.dsc
 52ca2f19b31ed154c723bff1553fee4d74904f771e058c4d552839c76fe45e12 19216 drupal6_6.12-1.1.diff.gz
 073254585f4220f3347c480b647d11e9b2310627e86398aa8abe06aca6beab90 1109796 drupal6_6.12-1.1_all.deb
Files: 
 27a8b421fcb523bc51465bc2df6ce41a 1123 web extra drupal6_6.12-1.1.dsc
 70b27cfb05d2e909943c000e1a65faf5 19216 web extra drupal6_6.12-1.1.diff.gz
 b9b2e97d71348fc179dfc854f69b80d2 1109796 web extra drupal6_6.12-1.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpSQzIACgkQHYflSXNkfP/hogCePjcmm4PldzxhCQgFOfA/pBqS
0mgAnijprXvXtzTLHcCc8FKNcZ6Gf4Nf
=krwT
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 04 Aug 2009 07:28:37 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 07:50:38 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.