[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 1007-1] New drupal packages fix several vulnerabilities

maik.ellerbrock@vermop.net



Am Freitag, den 17.03.2006, 10:42 +0100 schrieb Martin Schulze:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> - --------------------------------------------------------------------------
> Debian Security Advisory DSA 1007-1                    security@debian.org
> http://www.debian.org/security/                             Martin Schulze
> March 17th, 2006                        http://www.debian.org/security/faq
> - --------------------------------------------------------------------------
> 
> Package        : drupal
> Vulnerability  : several
> Problem type   : remote
> Debian-specific: no
> CVE IDs        : CVE-2006-1225 CVE-2006-1226 CVE-2006-1227 CVE-2006-1228
> 
> 
> The Drupal Security Team discovered several vulnerabilities in Drupal,
> a fully-featured content management and discussion engine.  The Common
> Vulnerabilities and Exposures project identifies the following
> problems:
> 
> CVE-2006-1225
> 
>     Due to missing input sanitising a remote attacker could inject
>     headers of outgoing e-mail messages and use Drupal as a spam
>     proxy.
> 
> CVE-2006-1226
> 
>     Missing input sanity checks allows attackers to inject arbitrary
>     web script or HTML.
> 
> CVE-2006-1227
> 
>     Menu items created with the menu.module lacked access control for,
>     which might allow remote attackers to access administrator pages.
> 
> CVE-2006-1228
> 
>     Markus Petrux discovered a bug in the session fixation which may
>     allow remote attackers to gain Drupal user privileges.
> 
> The old stable distribution (woody) does not contain Drupal packages.
> 
> For the stable distribution (sarge) these problems have been fixed in
> version 4.5.3-6.
> 
> For the unstable distribution (sid) these problems have been fixed in
> version 4.5.8-1.
> 
> We recommend that you upgrade your drupal package.
> 
> 
> Upgrade Instructions
> - --------------------
> 
> wget url
>         will fetch the file for you
> dpkg -i file.deb
>         will install the referenced file.
> 
> If you are using the apt-get package manager, use the line for
> sources.list as given below:
> 
> apt-get update
>         will update the internal database
> apt-get upgrade
>         will install corrected packages
> 
> You may use an automated update by adding the resources from the
> footer to the proper configuration.
> 
> 
> Debian GNU/Linux 3.1 alias sarge
> - --------------------------------
> 
>   Source archives:
> 
>     http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6.dsc
>       Size/MD5 checksum:      611 71b0ecbc47f9cca214a283ebec5e4600
>     http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6.diff.gz
>       Size/MD5 checksum:    82810 56bf3a054ca7430c85f50af7ae3927db
>     http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3.orig.tar.gz
>       Size/MD5 checksum:   471540 bf093c4c8aca7bba62833ea1df35702f
> 
>   Architecture independent components:
> 
>     http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6_all.deb
>       Size/MD5 checksum:   501428 94c1787a8eb5be13d6909f442e670cea
> 
> 
>   These files will probably be moved into the stable distribution on
>   its next update.
> 
> - ---------------------------------------------------------------------------------
> For apt-get: deb http://security.debian.org/ stable/updates main
> For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
> Mailing list: debian-security-announce@lists.debian.org
> Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (GNU/Linux)
> 
> iD8DBQFEGoSLW5ql+IAeqTIRAvTuAJ9sD9YUoEFKMzZUxUfqKi/96/j4WQCeLizm
> RLS079/UH1PrRo4n36cKZ74=
> =emeM
> -----END PGP SIGNATURE-----
> 
>
Reply to: