[Pkg-drupal-devel] Security issues in Drupal 5.1 and 4.7.6
Moritz Muehlenhoff
jmm at inutil.org
Sun Jul 29 21:06:15 UTC 2007
Luigi Gangitano wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi security team,
> two vulnerabilities have been found in recent version of drupal:
>
> DRUPAL-SA-2007-017: cross site request forgeries in Forms API, drupal 5.x
> before 5.2 is affected, drupal 4.7.x is _not_ affected (no CVE-ID assigned,
> atm)
>
> DRUPAL-SA-2007-018: XSS in server variables, drupal 5.x before 5.2 is
> affected, drupal 4.7.x before 4.7.7 is affected (no CVE-ID assigned, atm)
>
> Two new packages (drupal-4.7_4.7.7-1 and drupal5_5.2-1) have ben uploaded
> last night with fixes.
>
> Testing will be affected by both vulnerabilities until drupal5 migrates
> (uploaded with urgency high).
>
> Etch is not affected.
That's hardly surprising, given that drupal isn't part of Etch. :-)
But what about Drupal in Sarge?
Cheers,
Moritz
More information about the Pkg-drupal-devel
mailing list