Re: [SECURITY] [DSA 1007-1] New drupal packages fix several vulnerabilities
maik.ellerbrock@vermop.net
Am Freitag, den 17.03.2006, 10:42 +0100 schrieb Martin Schulze:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - --------------------------------------------------------------------------
> Debian Security Advisory DSA 1007-1 security@debian.org
> http://www.debian.org/security/ Martin Schulze
> March 17th, 2006 http://www.debian.org/security/faq
> - --------------------------------------------------------------------------
>
> Package : drupal
> Vulnerability : several
> Problem type : remote
> Debian-specific: no
> CVE IDs : CVE-2006-1225 CVE-2006-1226 CVE-2006-1227 CVE-2006-1228
>
>
> The Drupal Security Team discovered several vulnerabilities in Drupal,
> a fully-featured content management and discussion engine. The Common
> Vulnerabilities and Exposures project identifies the following
> problems:
>
> CVE-2006-1225
>
> Due to missing input sanitising a remote attacker could inject
> headers of outgoing e-mail messages and use Drupal as a spam
> proxy.
>
> CVE-2006-1226
>
> Missing input sanity checks allows attackers to inject arbitrary
> web script or HTML.
>
> CVE-2006-1227
>
> Menu items created with the menu.module lacked access control for,
> which might allow remote attackers to access administrator pages.
>
> CVE-2006-1228
>
> Markus Petrux discovered a bug in the session fixation which may
> allow remote attackers to gain Drupal user privileges.
>
> The old stable distribution (woody) does not contain Drupal packages.
>
> For the stable distribution (sarge) these problems have been fixed in
> version 4.5.3-6.
>
> For the unstable distribution (sid) these problems have been fixed in
> version 4.5.8-1.
>
> We recommend that you upgrade your drupal package.
>
>
> Upgrade Instructions
> - --------------------
>
> wget url
> will fetch the file for you
> dpkg -i file.deb
> will install the referenced file.
>
> If you are using the apt-get package manager, use the line for
> sources.list as given below:
>
> apt-get update
> will update the internal database
> apt-get upgrade
> will install corrected packages
>
> You may use an automated update by adding the resources from the
> footer to the proper configuration.
>
>
> Debian GNU/Linux 3.1 alias sarge
> - --------------------------------
>
> Source archives:
>
> http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6.dsc
> Size/MD5 checksum: 611 71b0ecbc47f9cca214a283ebec5e4600
> http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6.diff.gz
> Size/MD5 checksum: 82810 56bf3a054ca7430c85f50af7ae3927db
> http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3.orig.tar.gz
> Size/MD5 checksum: 471540 bf093c4c8aca7bba62833ea1df35702f
>
> Architecture independent components:
>
> http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6_all.deb
> Size/MD5 checksum: 501428 94c1787a8eb5be13d6909f442e670cea
>
>
> These files will probably be moved into the stable distribution on
> its next update.
>
> - ---------------------------------------------------------------------------------
> For apt-get: deb http://security.debian.org/ stable/updates main
> For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
> Mailing list: debian-security-announce@lists.debian.org
> Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (GNU/Linux)
>
> iD8DBQFEGoSLW5ql+IAeqTIRAvTuAJ9sD9YUoEFKMzZUxUfqKi/96/j4WQCeLizm
> RLS079/UH1PrRo4n36cKZ74=
> =emeM
> -----END PGP SIGNATURE-----
>
>
Reply to: