[drupal-devel] Bug#323347: marked as done (Another XMLRPC issue in drupal)

Debian Bug Tracking System owner at bugs.debian.org
Tue Aug 30 20:41:23 UTC 2005 

Your message dated Tue, 30 Aug 2005 13:32:06 -0700
with message-id <20050830203206.GC9009 at tennyson.netexpress.net>
and subject line [drupal-devel] Bug#323347: Another XMLRPC issue in drupal
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 16 Aug 2005 07:45:40 +0000
>From jmm at inutil.org Tue Aug 16 00:45:40 2005
Return-path: <jmm at inutil.org>
Received: from (vserver151.vserver151.serverflex.de) [193.22.164.111] 
	by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
	id 1E4w8i-0006YE-00; Tue, 16 Aug 2005 00:45:40 -0700
Received: from wlan-client-006.informatik.uni-bremen.de ([134.102.116.7] helo=localhost.localdomain)
	by vserver151.vserver151.serverflex.de with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32)
	(Exim 4.50)
	id 1E4w8d-0003On-Fy
	for submit at bugs.debian.org; Tue, 16 Aug 2005 09:45:35 +0200
Received: from jmm by localhost.localdomain with local (Exim 4.52)
	id 1E4w91-0001RT-E0; Tue, 16 Aug 2005 09:45:59 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <jmm at inutil.org>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: Another XMLRPC issue in drupal
X-Mailer: reportbug 3.15
Date: Tue, 16 Aug 2005 09:45:59 +0200
Message-Id: <E1E4w91-0001RT-E0 at localhost.localdomain>
X-SA-Exim-Connect-IP: 134.102.116.7
X-SA-Exim-Mail-From: jmm at inutil.org
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond expanded to false
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

Package: drupal
Severity: grave
Tags: security
Justification: user security hole

[I'm pretty sure you are already aware of it; but here it is anyway]

Another XMLRPC vulnerability has been detected that affects Drupal
as well. Please see http://www.hardened-php.net/advisory_142005.66.html
for information about the issue in general. 

The new upstream release 4.5.4 resolves this issue.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-rc5
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15 at euro (charmap=ISO-8859-15)

---------------------------------------
Received: (at 323347-done) by bugs.debian.org; 30 Aug 2005 20:32:08 +0000
>From vorlon at debian.org Tue Aug 30 13:32:07 2005
Return-path: <vorlon at debian.org>
Received: from dsl093-039-086.pdx1.dsl.speakeasy.net (tennyson.netexpress.net) [66.93.39.86] 
	by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
	id 1EACm7-0002fJ-00; Tue, 30 Aug 2005 13:32:07 -0700
Received: by tennyson.netexpress.net (Postfix, from userid 1003)
	id C79FC7049; Tue, 30 Aug 2005 13:32:06 -0700 (PDT)
Date: Tue, 30 Aug 2005 13:32:06 -0700
From: Steve Langasek <vorlon at debian.org>
To: Karoly Negyesi <karoly at negyesi.net>
Cc: drupal-devel at drupal.org, 323347-done at bugs.debian.org
Subject: Re: [drupal-devel] Bug#323347: Another XMLRPC issue in drupal
Message-ID: <20050830203206.GC9009 at tennyson.netexpress.net>
References: <E1E4w91-0001RT-E0 at localhost.localdomain> <20050830114433.GA16309 at informatik.uni-bremen.de> <20050830195859.GB9009 at tennyson.netexpress.net> <op.swb7y4snq2e0ri at ip-62-93.tvnetwork.hu>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="f+W+jCU1fRNres8c"
Content-Disposition: inline
In-Reply-To: <op.swb7y4snq2e0ri at ip-62-93.tvnetwork.hu>
User-Agent: Mutt/1.5.9i
Delivered-To: 323347-done at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02


--f+W+jCU1fRNres8c
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Version: 4.5.5-1

On Tue, Aug 30, 2005 at 10:17:18PM +0200, Karoly Negyesi wrote:
> >>> The new upstream release 4.5.4 resolves this issue.
> >
> >If the bugs are fixed in the current version then they should be closed
> >*now*, not waiting until the next upload.

> Version 4.5.5 (and 4.6.3) does not have an XML-RPC security hole to our =
=20
> best knowledge.

Then I'm closing this bug, so that we can get the security-fixed version
of drupal into testing today.

Thanks,
--=20
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon at debian.org                                   http://www.debian.org/

--f+W+jCU1fRNres8c
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDFMJGKN6ufymYLloRAggQAKCBsQ8e0v+e2zB9RP8djgAHJ3cJcACgsWow
K7HtBxeu6DEuipJ+yvjkoVM=
=GkcP
-----END PGP SIGNATURE-----

--f+W+jCU1fRNres8c--

More information about the drupal-devel mailing list