Your message dated Fri, 01 Jul 2005 12:02:27 -0400 with message-id <E1DoNyF-0001pM-00@newraff.debian.org> and subject line Bug#316362: fixed in drupal 4.5.4-1 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 30 Jun 2005 12:34:00 +0000
From villain@ems.ru Thu Jun 30 05:34:00 2005 Return-path: <villain@ems.ru> Received: from router.ems.ru (relay-suttk.ems.ru) [62.165.34.129] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1DnyEy-0004zm-00; Thu, 30 Jun 2005 05:34:00 -0700 Received: from mail.ems.ru (localhost [127.0.0.1]) by mail.ems.ru (postfix) with ESMTP id 125C31AA68A for <submit@bugs.debian.org>; Thu, 30 Jun 2005 18:33:59 +0600 (YEKST) Received: from support.office.ems.chel.su (unknown [195.54.20.1]) by mail.ems.ru (postfix) with ESMTP for <submit@bugs.debian.org>; Thu, 30 Jun 2005 18:33:59 +0600 (YEKST) Received: by support.office.ems.chel.su (Postfix, from userid 1000) id C0EA22C56D; Thu, 30 Jun 2005 18:33:55 +0600 (YEKST) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Aleksey I Zavilohin <villain@ems.ru> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: security problem with drupal X-Mailer: reportbug 3.8 Date: Thu, 30 Jun 2005 18:33:55 +0600 Message-Id: <20050630123355.C0EA22C56D@support.office.ems.chel.su> X-Virus-Scanned: ClamAV using ClamSMTP Delivered-To: submit@bugs.debian.org X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level:
Package: drupal Version: 4.5.3-2 Severity: grave Justification: user security hole See http://drupal.org/files/sa-2005-002/advisory.txt ---------------------------------------------------------------------------- Drupal security advisory DRUPAL-SA-2005-002 ---------------------------------------------------------------------------- Advisory ID: DRUPAL-SA-2005-002 Date: 2005-jun-29 Security risk: highly critical Impact: system access Where: from remote Vulnerability: arbitrary PHP code execution ---------------------------------------------------------------------------- Description ----------- Kuba Zygmunt discovered a flaw in the input validation routines of Drupal's filter mechanism. An attacker could execute arbitrary PHP code on a target site when public comments or postings are allowed. Versions affected ----------------- Drupal 4.5.0, 4.5.1, 4.5.2, 4.5.3 Drupal 4.6.0, 4.6.1 Solution -------- Either disable public comments and postings, or upgrade to the latest Drupal version: - If you cannot upgrade immediately, you can secure your site by disabling public postings and comments. Log in as an administrator, go to "administer >> access control" and make sure that untrusted roles don't have the permissions to submit or edit content. - If you are running Drupal 4.5.x, then upgrade to Drupal 4.5.4. - If you are running Drupal 4.6.x, then upgrade to Drupal 4.6.2. Contact ------- The security contact for Drupal can be reached at security@drupal.org or using the form at http://drupal.org/contact. -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.8-2-686 Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R) Versions of packages drupal depends on: ii apache 1.3.33-6 versatile, high-performance HTTP s ii debconf 1.4.30.13 Debian configuration management sy ii makepasswd 1.10-2 Generate and encrypt passwords ii mysql-client-4.1 [mysql-clie 4.1.11a-4 mysql database client binaries ii php4-cli 4:4.3.10-15 command-line interpreter for the p ii php4-mysql 4:4.3.10-15 MySQL module for php4 ii postfix [mail-transport-agen 2.1.5-9 A high-performance mail transport ii wwwconfig-common 0.0.43 Debian web auto configuration -- debconf information excluded --------------------------------------- Received: (at 316362-close) by bugs.debian.org; 1 Jul 2005 16:08:05 +0000
From katie@ftp-master.debian.org Fri Jul 01 09:08:05 2005 Return-path: <katie@ftp-master.debian.org> Received: from newraff.debian.org [208.185.25.31] (mail) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1DoO3g-0006Tk-00; Fri, 01 Jul 2005 09:08:05 -0700 Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian)) id 1DoNyF-0001pM-00; Fri, 01 Jul 2005 12:02:27 -0400 From: Hilko Bengen <bengen@debian.org> To: 316362-close@bugs.debian.org X-Katie: $Revision: 1.56 $ Subject: Bug#316362: fixed in drupal 4.5.4-1 Message-Id: <E1DoNyF-0001pM-00@newraff.debian.org> Sender: Archive Administrator <katie@ftp-master.debian.org> Date: Fri, 01 Jul 2005 12:02:27 -0400 Delivered-To: 316362-close@bugs.debian.org X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level:
Source: drupal Source-Version: 4.5.4-1 We believe that the bug you reported is fixed in the latest version of drupal, which is due to be installed in the Debian FTP archive: drupal_4.5.4-1.diff.gz to pool/main/d/drupal/drupal_4.5.4-1.diff.gz drupal_4.5.4-1.dsc to pool/main/d/drupal/drupal_4.5.4-1.dsc drupal_4.5.4-1_all.deb to pool/main/d/drupal/drupal_4.5.4-1_all.deb drupal_4.5.4.orig.tar.gz to pool/main/d/drupal/drupal_4.5.4.orig.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 316362@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Hilko Bengen <bengen@debian.org> (supplier of updated drupal package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Fri, 1 Jul 2005 17:27:59 +0200 Source: drupal Binary: drupal Architecture: source all Version: 4.5.4-1 Distribution: unstable Urgency: high Maintainer: Hilko Bengen <bengen@debian.org> Changed-By: Hilko Bengen <bengen@debian.org> Description: drupal - fully-featured content management/discussion engine Closes: 313449 313702 315869 316362 Changes: drupal (4.5.4-1) unstable; urgency=HIGH . * New upstream version (Closes: #316362) - Fixes two serious security bugs (see http://drupal.org/files/sa-2005-002/advisory.txt and http://drupal.org/files/sa-2005-003/advisory.txt) * README.Debian now mentions that the site-wide configuration files are to be found in /etc/drupal (Closes: #313449) * [Jens Seidel <jensseidel@users.sf.net>] Corrected minor typos in German Debconf translation (Closes: #313702) * [Miroslav Kure <kurem@upcase.inf.upol.cz>] Added Czech Debconf translation (Closes: #315869) Files: a8c9a11230369f6fad46e91b8b1d4306 609 web extra drupal_4.5.4-1.dsc 53f8c8a65a02b5328945d6bade47691c 472270 web extra drupal_4.5.4.orig.tar.gz 70a127c9abf132e95c93fe3776e7828c 42560 web extra drupal_4.5.4-1.diff.gz 4578b3442f901b012409d1e5a72b1206 488206 web extra drupal_4.5.4-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFCxWeSUCgnLz/SlGgRArJBAKDWDC56uEeIWdb8E5fFJhTl6gLvlQCeL3HC 4Rz2eHTwqaMKSP6e0RPxMm4= =WEB1 -----END PGP SIGNATURE-----