[drupal-devel] Bug#316362: marked as done (security problem with drupal)

Debian Bug Tracking System owner at bugs.debian.org
Mon Aug 1 20:50:06 UTC 2005

Your message dated Mon, 01 Aug 2005 22:26:03 +0200
with message-id <87hde91k10.fsf at ataraxia.int.hilluzination.de>
and subject line A new version has been uploaded to sarge
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

Received: (at submit) by bugs.debian.org; 30 Jun 2005 12:34:00 +0000
>From villain at ems.ru Thu Jun 30 05:34:00 2005
Return-path: <villain at ems.ru>
Received: from router.ems.ru (relay-suttk.ems.ru) [] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DnyEy-0004zm-00; Thu, 30 Jun 2005 05:34:00 -0700
Received: from mail.ems.ru (localhost [])
	by mail.ems.ru (postfix) with ESMTP id 125C31AA68A
	for <submit at bugs.debian.org>; Thu, 30 Jun 2005 18:33:59 +0600 (YEKST)
Received: from support.office.ems.chel.su (unknown [])
	by mail.ems.ru (postfix) with ESMTP
	for <submit at bugs.debian.org>; Thu, 30 Jun 2005 18:33:59 +0600 (YEKST)
Received: by support.office.ems.chel.su (Postfix, from userid 1000)
	id C0EA22C56D; Thu, 30 Jun 2005 18:33:55 +0600 (YEKST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Aleksey I Zavilohin <villain at ems.ru>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: security problem with drupal
X-Mailer: reportbug 3.8
Date: Thu, 30 Jun 2005 18:33:55 +0600
Message-Id: <20050630123355.C0EA22C56D at support.office.ems.chel.su>
X-Virus-Scanned: ClamAV using ClamSMTP
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

Package: drupal
Version: 4.5.3-2
Severity: grave
Justification: user security hole

See http://drupal.org/files/sa-2005-002/advisory.txt

Drupal security advisory                                  DRUPAL-SA-2005-002
Advisory ID:    DRUPAL-SA-2005-002
Date:           2005-jun-29
Security risk:  highly critical
Impact:         system access
Where:          from remote
Vulnerability:  arbitrary PHP code execution

Kuba Zygmunt discovered a flaw in the input validation routines of Drupal's
filter mechanism.  An attacker could execute arbitrary PHP code on a target 
site when public comments or postings are allowed.

Versions affected
Drupal 4.5.0, 4.5.1, 4.5.2, 4.5.3
Drupal 4.6.0, 4.6.1

Either disable public comments and postings, or upgrade to the latest Drupal
- If you cannot upgrade immediately, you can secure your site by disabling
  public postings and comments.  Log in as an administrator, go to
  "administer >> access control" and make sure that untrusted roles don't
  have the permissions to submit or edit content.
- If you are running Drupal 4.5.x, then upgrade to Drupal 4.5.4.
- If you are running Drupal 4.6.x, then upgrade to Drupal 4.6.2.

The security contact for Drupal can be reached at security at drupal.org 
or using the form at http://drupal.org/contact.

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R)

Versions of packages drupal depends on:
ii  apache                       1.3.33-6    versatile, high-performance HTTP s
ii  debconf               Debian configuration management sy
ii  makepasswd                   1.10-2      Generate and encrypt passwords
ii  mysql-client-4.1 [mysql-clie 4.1.11a-4   mysql database client binaries
ii  php4-cli                     4:4.3.10-15 command-line interpreter for the p
ii  php4-mysql                   4:4.3.10-15 MySQL module for php4
ii  postfix [mail-transport-agen 2.1.5-9     A high-performance mail transport 
ii  wwwconfig-common             0.0.43      Debian web auto configuration

-- debconf information excluded

Received: (at 316362-done) by bugs.debian.org; 1 Aug 2005 20:26:18 +0000
>From bengen at debian.org Mon Aug 01 13:26:18 2005
Return-path: <bengen at debian.org>
Received: from mail.kamp-dsl.de (dsl-mail.kamp.net) [] 
	by spohr.debian.org with smtp (Exim 3.36 1 (Debian))
	id 1DzgrZ-0008GB-00; Mon, 01 Aug 2005 13:26:18 -0700
Received: (qmail 8820 invoked by uid 513); 1 Aug 2005 20:26:22 -0000
Received: from by dsl-mail (envelope-from <bengen at debian.org>, uid 89) with qmail-scanner-1.24 
 (clamdscan: 0.80/609. spamassassin: 2.60.  
 Processed in 1.366376 secs); 01 Aug 2005 20:26:22 -0000
Received: from hilluzination.de (HELO paranoia) (hillu%kamp-dsl.de at
  by dsl-mail.kamp.net with SMTP; 1 Aug 2005 20:26:20 -0000
Received: from [] (helo=localhost.localdomain)
	by paranoia with esmtp (Exim 4.50)
	id 1DzgrL-00046d-Aj
	for 316362-done at bugs.debian.org; Mon, 01 Aug 2005 22:26:03 +0200
Received: from bengen by localhost.localdomain with local (Exim 4.52)
	id 1DzgrL-0002d3-Pl
	for 316362-done at bugs.debian.org; Mon, 01 Aug 2005 22:26:03 +0200
To: 316362-done at bugs.debian.org
Subject: A new version has been uploaded to sarge
Mail-Copies-To: nobody
From: Hilko Bengen <bengen at debian.org>
Date: Mon, 01 Aug 2005 22:26:03 +0200
Message-ID: <87hde91k10.fsf at ataraxia.int.hilluzination.de>
User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4 (Jumbo Shrimp, linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Delivered-To: 316362-done at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no 

I just noticed that this bug is still open, although a fixed package
was uploaded weeks ago. Closing it.

More information about the drupal-devel mailing list