Your message dated Mon, 01 Aug 2005 22:26:03 +0200 with message-id <87hde91k10.fsf@ataraxia.int.hilluzination.de> and subject line A new version has been uploaded to sarge has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 30 Jun 2005 12:34:00 +0000

From villain@ems.ru Thu Jun 30 05:34:00 2005 Return-path: <villain@ems.ru> Received: from router.ems.ru (relay-suttk.ems.ru) [62.165.34.129] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1DnyEy-0004zm-00; Thu, 30 Jun 2005 05:34:00 -0700 Received: from mail.ems.ru (localhost [127.0.0.1]) by mail.ems.ru (postfix) with ESMTP id 125C31AA68A for <submit@bugs.debian.org>; Thu, 30 Jun 2005 18:33:59 +0600 (YEKST) Received: from support.office.ems.chel.su (unknown [195.54.20.1]) by mail.ems.ru (postfix) with ESMTP for <submit@bugs.debian.org>; Thu, 30 Jun 2005 18:33:59 +0600 (YEKST) Received: by support.office.ems.chel.su (Postfix, from userid 1000) id C0EA22C56D; Thu, 30 Jun 2005 18:33:55 +0600 (YEKST) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Aleksey I Zavilohin <villain@ems.ru> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: security problem with drupal X-Mailer: reportbug 3.8 Date: Thu, 30 Jun 2005 18:33:55 +0600 Message-Id: <20050630123355.C0EA22C56D@support.office.ems.chel.su> X-Virus-Scanned: ClamAV using ClamSMTP Delivered-To: submit@bugs.debian.org X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level:

Package: drupal Version: 4.5.3-2 Severity: grave Justification: user security hole See http://drupal.org/files/sa-2005-002/advisory.txt ---------------------------------------------------------------------------- Drupal security advisory DRUPAL-SA-2005-002 ---------------------------------------------------------------------------- Advisory ID: DRUPAL-SA-2005-002 Date: 2005-jun-29 Security risk: highly critical Impact: system access Where: from remote Vulnerability: arbitrary PHP code execution ---------------------------------------------------------------------------- Description ----------- Kuba Zygmunt discovered a flaw in the input validation routines of Drupal's filter mechanism. An attacker could execute arbitrary PHP code on a target site when public comments or postings are allowed. Versions affected ----------------- Drupal 4.5.0, 4.5.1, 4.5.2, 4.5.3 Drupal 4.6.0, 4.6.1 Solution -------- Either disable public comments and postings, or upgrade to the latest Drupal version: - If you cannot upgrade immediately, you can secure your site by disabling public postings and comments. Log in as an administrator, go to "administer >> access control" and make sure that untrusted roles don't have the permissions to submit or edit content. - If you are running Drupal 4.5.x, then upgrade to Drupal 4.5.4. - If you are running Drupal 4.6.x, then upgrade to Drupal 4.6.2. Contact ------- The security contact for Drupal can be reached at security@drupal.org or using the form at http://drupal.org/contact. -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.8-2-686 Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R) Versions of packages drupal depends on: ii apache 1.3.33-6 versatile, high-performance HTTP s ii debconf 1.4.30.13 Debian configuration management sy ii makepasswd 1.10-2 Generate and encrypt passwords ii mysql-client-4.1 [mysql-clie 4.1.11a-4 mysql database client binaries ii php4-cli 4:4.3.10-15 command-line interpreter for the p ii php4-mysql 4:4.3.10-15 MySQL module for php4 ii postfix [mail-transport-agen 2.1.5-9 A high-performance mail transport ii wwwconfig-common 0.0.43 Debian web auto configuration -- debconf information excluded --------------------------------------- Received: (at 316362-done) by bugs.debian.org; 1 Aug 2005 20:26:18 +0000

From bengen@debian.org Mon Aug 01 13:26:18 2005 Return-path: <bengen@debian.org> Received: from mail.kamp-dsl.de (dsl-mail.kamp.net) [195.62.99.42] by spohr.debian.org with smtp (Exim 3.36 1 (Debian)) id 1DzgrZ-0008GB-00; Mon, 01 Aug 2005 13:26:18 -0700 Received: (qmail 8820 invoked by uid 513); 1 Aug 2005 20:26:22 -0000 Received: from 213.146.117.234 by dsl-mail (envelope-from <bengen@debian.org>, uid 89) with qmail-scanner-1.24 (clamdscan: 0.80/609. spamassassin: 2.60. Clear:RC:1(213.146.117.234):SA:0(-1.6/5.0):. Processed in 1.366376 secs); 01 Aug 2005 20:26:22 -0000 Received: from hilluzination.de (HELO paranoia) (hillu%kamp-dsl.de@213.146.117.234) by dsl-mail.kamp.net with SMTP; 1 Aug 2005 20:26:20 -0000 Received: from [192.168.1.230] (helo=localhost.localdomain) by paranoia with esmtp (Exim 4.50) id 1DzgrL-00046d-Aj for 316362-done@bugs.debian.org; Mon, 01 Aug 2005 22:26:03 +0200 Received: from bengen by localhost.localdomain with local (Exim 4.52) id 1DzgrL-0002d3-Pl for 316362-done@bugs.debian.org; Mon, 01 Aug 2005 22:26:03 +0200 To: 316362-done@bugs.debian.org Subject: A new version has been uploaded to sarge Mail-Copies-To: nobody From: Hilko Bengen <bengen@debian.org> Date: Mon, 01 Aug 2005 22:26:03 +0200 Message-ID: <87hde91k10.fsf@ataraxia.int.hilluzination.de> User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4 (Jumbo Shrimp, linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Delivered-To: 316362-done@bugs.debian.org X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no version=2.60-bugs.debian.org_2005_01_02

I just noticed that this bug is still open, although a fixed package was uploaded weeks ago. Closing it.