Re: Your "drupal6" stable upload

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: debian-release@lists.debian.org
Subject: Re: Your "drupal6" stable upload
From: Luigi Gangitano <luigi@debian.org>
Date: Mon, 27 Jun 2011 14:26:00 +0200
Message-id: <[🔎] 1F2AEEC4-D589-4422-8DA1-5ECA6D39656D@debian.org>
In-reply-to: <[🔎] 89f0ebffc3cc7992c99155fdd429c088@adsl.funky-badger.org>
References: <[🔎] 89f0ebffc3cc7992c99155fdd429c088@adsl.funky-badger.org>

Hi Adam,

The stable-proposed-updates upload of drupal6_6.18-1squeeze1 was requested by DSA since the issue was rated 'minor'. See the attached email.

Sorry if I didn't follow the preferred approach, but I was not aware of it and did not verify beforehand. Do you want me to file the bug now?

Regards,

L

Il giorno 27/giu/2011, alle ore 14.20, Adam D. Barratt ha scritto:

> Hi,
> 
> I noticed that you've uploaded a "drupal6" package to proposed-updates, fixing a security issue.  Was the upload discussed with the security team beforehand, to verify that they did not want to release a DSA for the issue?
> 
> In either case, for future uploads please note that the preferred approach is to file an appropriately user-tagged bug against release.debian.org (reportbug has templates which will dtrt) and wait for confirmation before uploading.
> 
> Regards,
> 
> Adam
> 

--
Luigi Gangitano -- <luigi@debian.org> -- <gangitano@lugroma3.org>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972  C24A F19B A618 924C 0C26

--- Begin Message ---

To: Luigi Gangitano <luigi@debian.org>
Cc: Florian Weimer <fw@deneb.enyo.de>, team@security.debian.org
Subject: Re: drupal6: fix for SA-CORE-2011-001
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Wed, 22 Jun 2011 20:02:05 +0200
Message-id: <20110622180205.GB3990@pisco.westfalen.local>
In-reply-to: <F301D88B-6BF6-4398-8A42-1925CE41A17E@debian.org>
References: <AFFBD668-8331-455A-8A17-D256DE4F1FBA@debian.org> <871uyo4aa6.fsf@mid.deneb.enyo.de> <F301D88B-6BF6-4398-8A42-1925CE41A17E@debian.org>

On Tue, Jun 21, 2011 at 04:45:39AM +0200, Luigi Gangitano wrote:
> 
> Il giorno 20/giu/2011, alle ore 20.39, Florian Weimer ha scritto:
> 
> > * Luigi Gangitano:
> > 
> >> I've prepared an updated version of drupal6 which fixes a XSS
> >> vulnerability in the color module (SA-CORE-2011-001). Please find
> >> the attached files.
> > 
> > Thanks for contacting us.
> > 
> > It seems to me that explotation of this vulnerability requires write
> > access to the Drupal site.  Is this correct?  Then you should fix this
> > through stable-proposed-updates because it is a vulnerability with
> > very low impact.
> 
> Exploit requires admin access (or custom access with equivalent rights on themes) to the website and a theme with color selection support. Color module allows for changeable colors in themes.
> 
> There is at least on them with color support (Garland) installed by default.
> 
> There is also a reflected XSS in error-handling requiring on-screen error display, which is turned on by default. More details:
> 
>   http://drupal.org/node/1168756
> 
> Please let me know which between stable-proposed-updates or stable-security is the right queue.

Please upload through stable-proposes-updates.

Cheers,
        Moritz

--- End Message ---

Reply to:

Follow-Ups:
- Re: Your "drupal6" stable upload
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

References:
- Your "drupal6" stable upload
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Your "drupal6" stable upload
Next by Date: Re: Your "drupal6" stable upload
Previous by thread: Your "drupal6" stable upload
Next by thread: Re: Your "drupal6" stable upload
Index(es):
- Date
- Thread