[Pkg-drupal-devel] Security issues in Drupal 5.1 and 4.7.6
Luigi Gangitano
luigi at debian.org
Mon Aug 20 14:41:31 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Il giorno 29/lug/07, alle ore 23:06, Moritz Muehlenhoff ha scritto:
> Luigi Gangitano wrote:
>> Hi security team,
>> two vulnerabilities have been found in recent version of drupal:
>>
>> DRUPAL-SA-2007-017: cross site request forgeries in Forms API,
>> drupal 5.x
>> before 5.2 is affected, drupal 4.7.x is _not_ affected (no CVE-ID
>> assigned,
>> atm)
>>
>> DRUPAL-SA-2007-018: XSS in server variables, drupal 5.x before 5.2 is
>> affected, drupal 4.7.x before 4.7.7 is affected (no CVE-ID
>> assigned, atm)
>>
>> Two new packages (drupal-4.7_4.7.7-1 and drupal5_5.2-1) have ben
>> uploaded
>> last night with fixes.
>>
>> Testing will be affected by both vulnerabilities until drupal5
>> migrates
>> (uploaded with urgency high).
>>
>> Etch is not affected.
>
> That's hardly surprising, given that drupal isn't part of Etch. :-)
>
> But what about Drupal in Sarge?
DRUPAL-SA-2007-018 only affects Drupal > 5.x and < 5.2, so Sarge is
not affected.
DRUPAL-SA-2007-017 affects any version of drupal < 4.7.7/5.2 so Sarge
is affected. I'll try to produce a patch in the next few days,
backporting fixes from 4.7.7.
Regards,
L
- --
Luigi Gangitano -- <luigi at debian.org> -- <gangitano at lugroma3.org>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
iD8DBQFGyagd8ZumGJJMDCYRAr77AJ4g9BL6Ozn+3OPLJ1EzcbV/pM4iQgCeIgo+
6pEVFoAPHulNQt1pk/fwcuY=
=3+vz
-----END PGP SIGNATURE-----
More information about the Pkg-drupal-devel
mailing list