[Backports-security-announce] Security Update for drupal6
Luigi Gangitano uploaded new packages for drupal6 which fixed the
following security problems:
Multiple vulnerabilities and weaknesses were discovered in Drupal.
* Installation cross site scripting
A user-supplied value is directly output during installation allowing
a malicious user to craft a URL and perform a cross-site scripting attack.
The exploit can only be conducted on sites not yet installed.
* Open redirection
The API function drupal_goto() is susceptible to a phishing attack. An
attacker could formulate a redirect in a way that gets the Drupal site to
send the user to an arbitrarily provided URL. No user submitted data will
be sent to that URL.
* Locale module cross site scripting
Locale module and dependent contributed modules do not sanitize the display
of language codes, native and English language names properly. While these
usually come from a preselected list, arbitrary administrator input is
allowed. This vulnerability is mitigated by the fact that the attacker must
have a role with the 'administer languages' permission.
* Blocked user session regeneration
Under certain circumstances, a user with an open session that is blocked
can maintain his/her session on the Drupal site, despite being blocked.
For the lenny-backports distribution the problems have been fixed in
If you don't use pinning (see ) you have to update the package
manually via "apt-get -t lenny-backports install <packagelist>" with
the packagelist of your installed packages affected by this update.
We recommend to pin the backports repository to 200 so that new
versions of installed backports will be installed automatically.
Pin: release a=lenny-backports
Luigi Gangitano -- <firstname.lastname@example.org> -- <email@example.com>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26