Your message dated Tue, 30 Aug 2005 13:32:06 -0700 with message-id <20050830203206.GC9009@tennyson.netexpress.net> and subject line [drupal-devel] Bug#323347: Another XMLRPC issue in drupal has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 16 Aug 2005 07:45:40 +0000
From jmm@inutil.org Tue Aug 16 00:45:40 2005 Return-path: <jmm@inutil.org> Received: from (vserver151.vserver151.serverflex.de) [193.22.164.111] by spohr.debian.org with esmtp (Exim 3.36 1 (Debian)) id 1E4w8i-0006YE-00; Tue, 16 Aug 2005 00:45:40 -0700 Received: from wlan-client-006.informatik.uni-bremen.de ([134.102.116.7] helo=localhost.localdomain) by vserver151.vserver151.serverflex.de with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32) (Exim 4.50) id 1E4w8d-0003On-Fy for submit@bugs.debian.org; Tue, 16 Aug 2005 09:45:35 +0200 Received: from jmm by localhost.localdomain with local (Exim 4.52) id 1E4w91-0001RT-E0; Tue, 16 Aug 2005 09:45:59 +0200 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Moritz Muehlenhoff <jmm@inutil.org> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: Another XMLRPC issue in drupal X-Mailer: reportbug 3.15 Date: Tue, 16 Aug 2005 09:45:59 +0200 Message-Id: <E1E4w91-0001RT-E0@localhost.localdomain> X-SA-Exim-Connect-IP: 134.102.116.7 X-SA-Exim-Mail-From: jmm@inutil.org X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond expanded to false Delivered-To: submit@bugs.debian.org X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2005_01_02
Package: drupal Severity: grave Tags: security Justification: user security hole [I'm pretty sure you are already aware of it; but here it is anyway] Another XMLRPC vulnerability has been detected that affects Drupal as well. Please see http://www.hardened-php.net/advisory_142005.66.html for information about the issue in general. The new upstream release 4.5.4 resolves this issue. Cheers, Moritz -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.12-rc5 Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15) --------------------------------------- Received: (at 323347-done) by bugs.debian.org; 30 Aug 2005 20:32:08 +0000
From vorlon@debian.org Tue Aug 30 13:32:07 2005 Return-path: <vorlon@debian.org> Received: from dsl093-039-086.pdx1.dsl.speakeasy.net (tennyson.netexpress.net) [66.93.39.86] by spohr.debian.org with esmtp (Exim 3.36 1 (Debian)) id 1EACm7-0002fJ-00; Tue, 30 Aug 2005 13:32:07 -0700 Received: by tennyson.netexpress.net (Postfix, from userid 1003) id C79FC7049; Tue, 30 Aug 2005 13:32:06 -0700 (PDT) Date: Tue, 30 Aug 2005 13:32:06 -0700 From: Steve Langasek <vorlon@debian.org> To: Karoly Negyesi <karoly@negyesi.net> Cc: drupal-devel@drupal.org, 323347-done@bugs.debian.org Subject: Re: [drupal-devel] Bug#323347: Another XMLRPC issue in drupal Message-ID: <20050830203206.GC9009@tennyson.netexpress.net> References: <E1E4w91-0001RT-E0@localhost.localdomain> <20050830114433.GA16309@informatik.uni-bremen.de> <20050830195859.GB9009@tennyson.netexpress.net> <op.swb7y4snq2e0ri@ip-62-93.tvnetwork.hu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="f+W+jCU1fRNres8c" Content-Disposition: inline In-Reply-To: <op.swb7y4snq2e0ri@ip-62-93.tvnetwork.hu> User-Agent: Mutt/1.5.9i Delivered-To: 323347-done@bugs.debian.org X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02
--f+W+jCU1fRNres8c Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Version: 4.5.5-1 On Tue, Aug 30, 2005 at 10:17:18PM +0200, Karoly Negyesi wrote:
The new upstream release 4.5.4 resolves this issue.
If the bugs are fixed in the current version then they should be closed *now*, not waiting until the next upload.
Version 4.5.5 (and 4.6.3) does not have an XML-RPC security hole to our = =20 best knowledge.
Then I'm closing this bug, so that we can get the security-fixed version of drupal into testing today. Thanks, --=20 Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. vorlon@debian.org http://www.debian.org/ --f+W+jCU1fRNres8c Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDFMJGKN6ufymYLloRAggQAKCBsQ8e0v+e2zB9RP8djgAHJ3cJcACgsWow K7HtBxeu6DEuipJ+yvjkoVM= =GkcP -----END PGP SIGNATURE----- --f+W+jCU1fRNres8c--