[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Backports-security-announce] Security Update for drupal6

  Luigi Gangitano uploaded new packages for drupal6 which fixed the
  following security problems:
  Multiple vulnerabilities and weaknesses were discovered in Drupal.

  * Installation cross site scripting

  A user-supplied value is directly output during installation allowing
  a malicious user to craft a URL and perform a cross-site scripting attack.
  The exploit can only be conducted on sites not yet installed.

  * Open redirection

  The API function drupal_goto() is susceptible to a phishing attack. An
  attacker could formulate a redirect in a way that gets the Drupal site to
  send the user to an arbitrarily provided URL. No user submitted data will
  be sent to that URL.

  * Locale module cross site scripting

  Locale module and dependent contributed modules do not sanitize the display
  of language codes, native and English language names properly. While these
  usually come from a preselected list, arbitrary administrator input is
  allowed. This vulnerability is mitigated by the fact that the attacker must
  have a role with the 'administer languages' permission.

  * Blocked user session regeneration

  Under certain circumstances, a user with an open session that is blocked
  can maintain his/her session on the Drupal site, despite being blocked.

  For the lenny-backports distribution the problems have been fixed in
  version 6.16-1~bpo50+1.
  Upgrade instructions
  If you don't use pinning (see [1]) you have to update the package
  manually via "apt-get -t lenny-backports install <packagelist>" with
  the packagelist of your installed packages affected by this update.
  [1] <http://backports.org/dokuwiki/doku.php?id=instructions>
  We recommend to pin the backports repository to 200 so that new
  versions of installed  backports will be installed automatically. 
    Package: *
    Pin: release a=lenny-backports
    Pin-Priority: 200

Luigi Gangitano -- <luigi@debian.org> -- <gangitano@lugroma3.org>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972  C24A F19B A618 924C 0C26

Reply to: