Re: Your "drupal6" stable upload
Hi Adam,
The stable-proposed-updates upload of drupal6_6.18-1squeeze1 was requested by DSA since the issue was rated 'minor'. See the attached email.
Sorry if I didn't follow the preferred approach, but I was not aware of it and did not verify beforehand. Do you want me to file the bug now?
Regards,
L
Il giorno 27/giu/2011, alle ore 14.20, Adam D. Barratt ha scritto:
> Hi,
>
> I noticed that you've uploaded a "drupal6" package to proposed-updates, fixing a security issue. Was the upload discussed with the security team beforehand, to verify that they did not want to release a DSA for the issue?
>
> In either case, for future uploads please note that the preferred approach is to file an appropriately user-tagged bug against release.debian.org (reportbug has templates which will dtrt) and wait for confirmation before uploading.
>
> Regards,
>
> Adam
>
--
Luigi Gangitano -- <luigi@debian.org> -- <gangitano@lugroma3.org>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26
--- Begin Message ---
- To: Luigi Gangitano <luigi@debian.org>
- Cc: Florian Weimer <fw@deneb.enyo.de>, team@security.debian.org
- Subject: Re: drupal6: fix for SA-CORE-2011-001
- From: Moritz Mühlenhoff <jmm@inutil.org>
- Date: Wed, 22 Jun 2011 20:02:05 +0200
- Message-id: <20110622180205.GB3990@pisco.westfalen.local>
- In-reply-to: <F301D88B-6BF6-4398-8A42-1925CE41A17E@debian.org>
- References: <AFFBD668-8331-455A-8A17-D256DE4F1FBA@debian.org> <871uyo4aa6.fsf@mid.deneb.enyo.de> <F301D88B-6BF6-4398-8A42-1925CE41A17E@debian.org>
On Tue, Jun 21, 2011 at 04:45:39AM +0200, Luigi Gangitano wrote:
>
> Il giorno 20/giu/2011, alle ore 20.39, Florian Weimer ha scritto:
>
> > * Luigi Gangitano:
> >
> >> I've prepared an updated version of drupal6 which fixes a XSS
> >> vulnerability in the color module (SA-CORE-2011-001). Please find
> >> the attached files.
> >
> > Thanks for contacting us.
> >
> > It seems to me that explotation of this vulnerability requires write
> > access to the Drupal site. Is this correct? Then you should fix this
> > through stable-proposed-updates because it is a vulnerability with
> > very low impact.
>
> Exploit requires admin access (or custom access with equivalent rights on themes) to the website and a theme with color selection support. Color module allows for changeable colors in themes.
>
> There is at least on them with color support (Garland) installed by default.
>
> There is also a reflected XSS in error-handling requiring on-screen error display, which is turned on by default. More details:
>
> http://drupal.org/node/1168756
>
> Please let me know which between stable-proposed-updates or stable-security is the right queue.
Please upload through stable-proposes-updates.
Cheers,
Moritz
--- End Message ---
Reply to: