Re: Your "drupal6" stable upload
The stable-proposed-updates upload of drupal6_6.18-1squeeze1 was requested by DSA since the issue was rated 'minor'. See the attached email.
Sorry if I didn't follow the preferred approach, but I was not aware of it and did not verify beforehand. Do you want me to file the bug now?
Il giorno 27/giu/2011, alle ore 14.20, Adam D. Barratt ha scritto:
> I noticed that you've uploaded a "drupal6" package to proposed-updates, fixing a security issue. Was the upload discussed with the security team beforehand, to verify that they did not want to release a DSA for the issue?
> In either case, for future uploads please note that the preferred approach is to file an appropriately user-tagged bug against release.debian.org (reportbug has templates which will dtrt) and wait for confirmation before uploading.
Luigi Gangitano -- <email@example.com> -- <firstname.lastname@example.org>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26
--- Begin Message ---
On Tue, Jun 21, 2011 at 04:45:39AM +0200, Luigi Gangitano wrote:
> Il giorno 20/giu/2011, alle ore 20.39, Florian Weimer ha scritto:
> > * Luigi Gangitano:
> >> I've prepared an updated version of drupal6 which fixes a XSS
> >> vulnerability in the color module (SA-CORE-2011-001). Please find
> >> the attached files.
> > Thanks for contacting us.
> > It seems to me that explotation of this vulnerability requires write
> > access to the Drupal site. Is this correct? Then you should fix this
> > through stable-proposed-updates because it is a vulnerability with
> > very low impact.
> Exploit requires admin access (or custom access with equivalent rights on themes) to the website and a theme with color selection support. Color module allows for changeable colors in themes.
> There is at least on them with color support (Garland) installed by default.
> There is also a reflected XSS in error-handling requiring on-screen error display, which is turned on by default. More details:
> Please let me know which between stable-proposed-updates or stable-security is the right queue.
Please upload through stable-proposes-updates.
--- End Message ---