Re: Drupal DRUPAL-SA-2006-005, DRUPAL-SA-2006-006

To: Jan Luehr <listen@stephan.homeunix.net>
Cc: debian-security@lists.debian.org
Subject: Re: Drupal DRUPAL-SA-2006-005, DRUPAL-SA-2006-006
From: Christophe Chisogne <christophe@publicityweb.com>
Date: Mon, 29 May 2006 12:47:19 +0200
Message-id: <[🔎] 447AD137.1030602@publicityweb.com>
In-reply-to: <[🔎] 200605281623.36042.listen@stephan.homeunix.net>
References: <[🔎] 200605281623.36042.listen@stephan.homeunix.net>

Jan Luehr wrote:
> Is fix for 005 and 006 on its way?

The fixes you're talking about [1] don't seem complex at first sight,
as the patches for Drupal 4.6.6 [2,3] are pretty simple. So, I guess
the security team will be able to handle this without problems :)

If you can't wait, just try to apply the patches yourself, and don't
forget to create a .htaccess files in the "files" directory, with this
simple content:
	"SetHandler This_is_a_Drupal_security_line_do_not_remove".
(Drupal 4.6.7 has code to create that file automatically.)

If you have enough time, you can try to manually upgrade to the latest
Drupal (4.7.1), as drupal in Debian is only in the 4.5.x series.
Of course, this means you must manually maintain it by yourself.

Ch.

[1] Drupal 4.6.7 and 4.7.1 released
http://drupal.org/drupal-4.7.1

[2] DRUPAL-SA-2006-005 : Patch for 4.6.6
http://drupal.org/files/sa-2006-005/4.6.6.patch

[3] DRUPAL-SA-2006-006 : Patch for 4.6.6
http://drupal.org/files/sa-2006-006/4.6.6.patch

Reply to:

References:
- Drupal DRUPAL-SA-2006-005, DRUPAL-SA-2006-006
  - From: Jan Luehr <listen@stephan.homeunix.net>

Prev by Date: Bogus DNS data from several debian.org authoritative servers
Next by Date: Re: Bogus DNS data from several debian.org authoritative servers
Previous by thread: Drupal DRUPAL-SA-2006-005, DRUPAL-SA-2006-006
Next by thread: Bogus DNS data from several debian.org authoritative servers
Index(es):
- Date
- Thread