[Secure-testing-team] Bug#592716: drupal6: SA-CORE-2010-002 - Drupal core - Multiple vulnerabilities

[Ivan Vilata i Balaguer]

Package: drupal6
Version: 6.16-1~bpo50+1
Severity: grave
Tags: security
Justification: user security hole


DRUPAL-SA-CORE-2010-002 from 2010-08-12 includes several vulnerabilities, some
of them allowing malicious site identifying as existing users and gaining
administrative access.

The problems got fixed in 6.18, so it looks like all versions currently in
Debian are affected.

Thanks,

-- System Information:
Debian Release: 5.0.5
  APT prefers stable
  APT policy: (990, 'stable'), (190, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.18.8-linode22 (SMP w/4 CPU cores)
Locale: LANG=ca_ES.UTF-8, LC_CTYPE=ca_ES.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages drupal6 depends on:
ii  curl               7.18.2-8lenny4        Get a file from an HTTP, HTTPS or 
ii  dbconfig-common    1.8.39                common framework for packaging dat
ii  debconf [debconf-2 1.5.24                Debian configuration management sy
ii  mysql-client       5.0.51a-24+lenny4     MySQL database client (metapackage
ii  mysql-client-5.0 [ 5.0.51a-24+lenny4     MySQL database client binaries
ii  nginx [httpd]      0.7.67-3              small, but very powerful and effic
ii  php5               5.2.6.dfsg.1-1+lenny9 server-side, HTML-embedded scripti
ii  php5-gd            5.2.6.dfsg.1-1+lenny9 GD module for php5
ii  php5-mysql         5.2.6.dfsg.1-1+lenny9 MySQL module for php5
ii  postfix [mail-tran 2.5.5-1.1             High-performance mail transport ag
ii  wwwconfig-common   0.1.2                 Debian web auto configuration

Versions of packages drupal6 recommends:
ii  mysql-server           5.0.51a-24+lenny4 MySQL database server (metapackage
ii  mysql-server-5.0 [mysq 5.0.51a-24+lenny4 MySQL database server binaries

drupal6 suggests no packages.

-- debconf information excluded