[Secure-testing-team] Bug#700545: [drupal7] Latest security patches don't fix security warning within Drupal7 (update.module)
Ingo Juergensmann
ij at 2013.bluespice.org
Thu Feb 14 07:15:01 UTC 2013
Package: drupal7
Version: 7.14-1.3
Severity: serious
Tags: security
X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org
--- Please enter the report below this line. ---
Hi Debian Security, hi Luigi, hi Gunnar,
the last Debian security updates like #696342 and #698334 fixed the
reported issues by applying the appropriate patches, but unfortunately
they missed the patch that turns off the prominent warning to the end
user running his/her Drupal installation. For example
http://${site}/admin/reports/updates reports something like that with
installed drupal7_7.14-1.3_all.deb:
Security update required!error
Drupal core 7.14
Recommended version: 7.19 (2013-Jan-16)
Download
Release notes
Security update: 7.19 (2013-Jan-16)
Download
Release notes
Security update: 7.18 (2012-Dec-19)
Download
Release notes
Security update: 7.16 (2012-Oct-17)
Download
Release notes
See attached image as well. Additionally there is a prominent warning
about security updates being available on every administrative page.
There was already a discussion for drupal6 about this - and a fix, too!
Please see discussion in
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521288 - I do believe
that applying security patches should include taking care of not
confusing the user and applying a patch to remove the security warning
coming from the update module.
I'm filing this bug as grave because of the upcoming deep freeze. Maybe
Gunnar can adopt his patch from Drupal6 for Drupal7?
Regards,
Ingo
--- System information. ---
Architecture: amd64
Kernel: Linux 3.2.0-4-amd64
Debian Release: 7.0
500 unstable www.deb-multimedia.org
500 unstable ftp.de.debian.org
1 experimental ftp.de.debian.org
--- Package information. ---
Depends (Version) | Installed
====================================-+-============
debconf (>= 0.5) | 1.5.49
OR debconf-2.0 |
apache2 | 2.2.22-12
OR httpd |
php5 | 5.4.4-12
php5-mysql | 5.4.4-12
OR php5-pgsql | 5.4.4-12
php5-gd | 5.4.4-12
default-mta |
OR mail-transport-agent |
wwwconfig-common (>= 0.0.37) | 0.2.2
mysql-client | 5.5.29+dfsg-1
OR virtual-mysql-client |
OR postgresql-client | 9.1+134wheezy3
dbconfig-common | 1.8.47+nmu1
curl | 7.28.0-3
Recommends (Version) | Installed
===========================-+-===========
mysql-server | 5.5.29+dfsg-1
OR postgresql | 9.1+134wheezy3
Package's Suggests field is empty.
--
Ciao... // Fon: 0381-2744150
Ingo \X/ http://blog.windfluechter.net
Please don't share this address with Facebook or Google!
gpg pubkey: http://www.juergensmann.de/ij_public_key.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snapshot_drupal7_securitywarnings.png
Type: image/png
Size: 31540 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20130214/0931e2c1/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snapshot_drupal8_securitywarnings2.png
Type: image/png
Size: 11881 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20130214/0931e2c1/attachment-0003.png>
More information about the Secure-testing-team
mailing list