Debian Bug report logs - #572439
SA-CORE-2010-001 - Drupal core - Multiple vulnerabilities

version graph

Package: drupal6; Maintainer for drupal6 is Luigi Gangitano <luigi@debian.org>;

Reported by: "Stefan Hornburg (Racke)" <racke@linuxia.de>

Date: Thu, 4 Mar 2010 08:30:02 UTC

Severity: critical

Tags: security

Fixed in versions drupal6/6.16-1, drupal6/6.6-3lenny5

Done: Luigi Gangitano <luigi@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Luigi Gangitano <luigi@debian.org>:
Bug#572439; Package drupal6. (Thu, 04 Mar 2010 08:30:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Stefan Hornburg (Racke)" <racke@linuxia.de>:
New Bug report received and forwarded. Copy sent to Luigi Gangitano <luigi@debian.org>. (Thu, 04 Mar 2010 08:30:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Stefan Hornburg (Racke)" <racke@linuxia.de>
To: submit@bugs.debian.org
Subject: SA-CORE-2010-001 - Drupal core - Multiple vulnerabilities
Date: Thu, 04 Mar 2010 09:28:41 +0100
package: drupal6
severity: critical
tags: security

  * Advisory ID: DRUPAL-SA-CORE-2010-001
  * Project: Drupal core
  * Version: 5.x, 6.x
  * Date: 2010-March-03
  * Security risk: Critical
  * Exploitable from: Remote
  * Vulnerability: Multiple vulnerabilities

-------- DESCRIPTION
---------------------------------------------------------

Multiple vulnerabilities and weaknesses were discovered in Drupal.
.... Installation cross site scripting

A user-supplied value is directly output during installation allowing a
malicious user to craft a URL and perform a cross-site scripting attack. The
exploit can only be conducted on sites not yet installed. This issue affects
Drupal 6.x only.
.... Open redirection

The API function drupal_goto() is susceptible to a phishing attack. An
attacker could formulate a redirect in a way that gets the Drupal site to
send the user to an arbitrarily provided URL. No user submitted data will be
sent to that URL. This issue affects Drupal 5.x and 6.x.
.... Locale module cross site scripting

Locale module and dependent contributed modules do not sanitize the display
of language codes, native and English language names properly. While these
usually come from a preselected list, arbitrary administrator input is
allowed. This vulnerability is mitigated by the fact that the attacker must
have a role with the 'administer languages' permission. This issue affects
Drupal 5.x and 6.x.
.... Blocked user session regeneration

Under certain circumstances, a user with an open session that is blocked can
maintain his/her session on the Drupal site, despite being blocked. This
issue affects Drupal 5.x and 6.x.
-------- VERSIONS AFFECTED
---------------------------------------------------

  * Drupal 6.x before version 6.16.
  * Drupal 5.x before version 5.22.

-------- SOLUTION
------------------------------------------------------------

Install the latest version:
  * If you are running Drupal 6.x then upgrade to Drupal 6.16 [1].
  * If you are running Drupal 5.x then upgrade to Drupal 5.22 [2].

Drupal 5 will no longer be maintained when Drupal 7 is released [3].
Upgrading to Drupal 6 [4] is recommended. If you are unable to upgrade
immediately, you can apply a patch to secure your installation until you are
able to do a proper upgrade. These patches fix the security vulnerabilities,
but do not contain other fixes which were released in Drupal 6.16 or Drupal
5.22.
  * To patch Drupal 6.15 use SA-CORE-2010-001-6.15.patch [5].
  * To patch Drupal 5.21 use SA-CORE-2010-001-5.21.patch [6].

-------- REPORTED BY
---------------------------------------------------------

The installation cross site scripting issue was reported by David Rothstein
[7] (*). The open redirection was reported by Martin Barbella [8]. The locale
module cross site scripting was reported by Justin Klein Keane [9]. The
blocked user session regeneration issue was reported by Craig A. Hancock
[10]. (*) Member of the Drupal security team.
-------- FIXED BY
------------------------------------------------------------

The installation cross site scripting issue was fixed by Heine Deelstra [11].
The open redirection was fixed by Gerhard Killesreiter [12] and Heine
Deelstra [13]. The locale module cross site scripting was fixed by St├ęphane
Corlosquet [14], Peter Wolanin [15], Heine Deelstra [16] and Neil Drumm [17].
The blocked user session regeneration issue was fixed by Gerhard Killesreiter
[18]. All the fixes were done by members of the Drupal security team.
-------- CONTACT
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://ftp.drupal.org/files/projects/drupal-6.16.tar.gz
[2] http://ftp.drupal.org/files/projects/drupal-5.22.tar.gz
[3] http://drupal.org/node/725382
[4] http://drupal.org/upgrade
[5] http://drupal.org/files/sa-core-2010-001/SA-CORE-2010-001-6.15.patch
[6] http://drupal.org/files/sa-core-2010-001/SA-CORE-2010-001-5.21.patch
[7] http://drupal.org/user/124982
[8] http://drupal.org/user/633600
[9] http://drupal.org/user/302225
[10] http://drupal.org/user/62850
[11] http://drupal.org/user/17943
[12] http://drupal.org/user/227
[13] http://drupal.org/user/17943
[14] http://drupal.org/user/52142
[15] http://drupal.org/user/49851
[16] http://drupal.org/user/17943
[17] http://drupal.org/user/3064
[18] http://drupal.org/user/227

_______________________________________________
Security-news mailing list
Security-news@drupal.org
http://lists.drupal.org/mailman/listinfo/security-news




Reply sent to Luigi Gangitano <luigi@debian.org>:
You have taken responsibility. (Fri, 12 Mar 2010 13:51:07 GMT) Full text and rfc822 format available.

Notification sent to "Stefan Hornburg (Racke)" <racke@linuxia.de>:
Bug acknowledged by developer. (Fri, 12 Mar 2010 13:51:08 GMT) Full text and rfc822 format available.

Message #10 received at 572439-close@bugs.debian.org (full text, mbox):

From: Luigi Gangitano <luigi@debian.org>
To: 572439-close@bugs.debian.org
Subject: Bug#572439: fixed in drupal6 6.16-1
Date: Fri, 12 Mar 2010 13:47:10 +0000
Source: drupal6
Source-Version: 6.16-1

We believe that the bug you reported is fixed in the latest version of
drupal6, which is due to be installed in the Debian FTP archive:

drupal6_6.16-1.diff.gz
  to main/d/drupal6/drupal6_6.16-1.diff.gz
drupal6_6.16-1.dsc
  to main/d/drupal6/drupal6_6.16-1.dsc
drupal6_6.16-1_all.deb
  to main/d/drupal6/drupal6_6.16-1_all.deb
drupal6_6.16.orig.tar.gz
  to main/d/drupal6/drupal6_6.16.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 572439@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luigi Gangitano <luigi@debian.org> (supplier of updated drupal6 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 12 Mar 2010 14:04:02 +0100
Source: drupal6
Binary: drupal6
Architecture: source all
Version: 6.16-1
Distribution: unstable
Urgency: high
Maintainer: Luigi Gangitano <luigi@debian.org>
Changed-By: Luigi Gangitano <luigi@debian.org>
Description: 
 drupal6    - a fully-featured content management framework
Closes: 521288 572439
Changes: 
 drupal6 (6.16-1) unstable; urgency=high
 .
   [ Luigi Gangitano ]
   * Urgency high due to security fixes
 .
   * New upstream release
     - Fixes multiple vulnerabilities (Closes: #572439)
       (Ref: SA-CORE-2010-001, CVE-TBA)
 .
 drupal6 (6.15-2) UNRELEASED; urgency=low
 .
   [ Alexandre De Dommelin ]
   * Added patch to remove warnings about Drupal core updates (Closes: #521288)
   * Bump Standards-Version from 3.8.3 to 3.8.4 (no changes needed)
Checksums-Sha1: 
 d55bc2a21eb755b504fe2939e6d0c11879488b34 1113 drupal6_6.16-1.dsc
 90db81b6f4b9b0514c9cdd1338f344492beb5477 1090616 drupal6_6.16.orig.tar.gz
 76f1c1460977f5dfd99b6ec6b72b2e8d0a6deb72 18107 drupal6_6.16-1.diff.gz
 4cfd624ed7557b95b6cbb5b0039c255b2e8b44af 1122150 drupal6_6.16-1_all.deb
Checksums-Sha256: 
 1a100849743bb211eb79ebe58f44bd2f99164d5bf6aaddcba6059c418fc9c898 1113 drupal6_6.16-1.dsc
 1ad0cb1b3b99e19d3f433409f7418bce3f2e4ea6fee7ac4e5a35837cd948b613 1090616 drupal6_6.16.orig.tar.gz
 89c6ba56504868853d4c90d4bff3e20ccc0f9bbdd9aec91ed14ee6af56ccc447 18107 drupal6_6.16-1.diff.gz
 744f214511dcee2c63fe4d2562b0f774ca53223053a7ab66c01ffd4887aa121e 1122150 drupal6_6.16-1_all.deb
Files: 
 ae3753248ff018e2ae23b767181c8bec 1113 web extra drupal6_6.16-1.dsc
 bb27c1f90680b86df2c535b2d52e8021 1090616 web extra drupal6_6.16.orig.tar.gz
 77c2d3d0c2adcf72651e80dc9e0075ac 18107 web extra drupal6_6.16-1.diff.gz
 e03adc7d1879e1cb4af6b79df4463b85 1122150 web extra drupal6_6.16-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)

iEYEARECAAYFAkuaQzsACgkQ8ZumGJJMDCaryACffjhCTQAAQt+S+MKhPO/eOB1w
sDcAnjZxrTzwuBxvT8Pm0eO3MmNQ/QkC
=C7vA
-----END PGP SIGNATURE-----





Reply sent to Luigi Gangitano <luigi@debian.org>:
You have taken responsibility. (Sun, 14 Mar 2010 01:54:04 GMT) Full text and rfc822 format available.

Notification sent to "Stefan Hornburg (Racke)" <racke@linuxia.de>:
Bug acknowledged by developer. (Sun, 14 Mar 2010 01:54:04 GMT) Full text and rfc822 format available.

Message #15 received at 572439-close@bugs.debian.org (full text, mbox):

From: Luigi Gangitano <luigi@debian.org>
To: 572439-close@bugs.debian.org
Subject: Bug#572439: fixed in drupal6 6.6-3lenny5
Date: Sun, 14 Mar 2010 01:52:43 +0000
Source: drupal6
Source-Version: 6.6-3lenny5

We believe that the bug you reported is fixed in the latest version of
drupal6, which is due to be installed in the Debian FTP archive:

drupal6_6.6-3lenny5.diff.gz
  to main/d/drupal6/drupal6_6.6-3lenny5.diff.gz
drupal6_6.6-3lenny5.dsc
  to main/d/drupal6/drupal6_6.6-3lenny5.dsc
drupal6_6.6-3lenny5_all.deb
  to main/d/drupal6/drupal6_6.6-3lenny5_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 572439@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luigi Gangitano <luigi@debian.org> (supplier of updated drupal6 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 12 Mar 2010 14:43:38 +0100
Source: drupal6
Binary: drupal6
Architecture: source all
Version: 6.6-3lenny5
Distribution: stable-security
Urgency: high
Maintainer: Luigi Gangitano <luigi@debian.org>
Changed-By: Luigi Gangitano <luigi@debian.org>
Description: 
 drupal6    - a fully-featured content management framework
Closes: 572439
Changes: 
 drupal6 (6.6-3lenny5) stable-security; urgency=high
 .
   [ Luigi Gangitano ]
   * debian/patches/19_SA-CORE-2010-001
     - Fixes multiple XSS vulnerabilities (Closes: #572439)
       (Ref: SA-CORE-2010-001, CVE-TBA)
Checksums-Sha1: 
 290fc76609810cf46228ab396dba906a6a006b5e 1130 drupal6_6.6-3lenny5.dsc
 fbd3e6994eb535a4fedb47c9f67f1e4cbd5ec134 27774 drupal6_6.6-3lenny5.diff.gz
 f63e6697d20d43598652ca58e975dc4888135966 1090960 drupal6_6.6-3lenny5_all.deb
Checksums-Sha256: 
 d1aa786d2082eba7d5b8e44b56e79ddf19f8b8f119acb5fa843bdbd853bb3046 1130 drupal6_6.6-3lenny5.dsc
 0b5aa05f224676ce6975194029e6bf2969249ad7e91e36b207b9f44c7462d427 27774 drupal6_6.6-3lenny5.diff.gz
 13af5273bc8132d5654faf5b1ab5cafbc2e6944ad97f3e8c6b68acebdb70f234 1090960 drupal6_6.6-3lenny5_all.deb
Files: 
 c9a38beb62cb13b3da19ecf47b7ce45b 1130 web extra drupal6_6.6-3lenny5.dsc
 5729f8478c82576cfc74c4f78e1eb650 27774 web extra drupal6_6.6-3lenny5.diff.gz
 ec52242f1cad13d4553f684202063bc9 1090960 web extra drupal6_6.6-3lenny5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)

iEYEARECAAYFAkubYWAACgkQ8ZumGJJMDCbpeACfWAxCVCGOxZNbP15CRUJ6zawx
xekAnAyXQodeQyn/8RJG6HqU+v8fZuAZ
=Od2a
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 27 Jun 2010 07:36:27 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 04:55:38 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.