[drupal-devel] Bug#316362: marked as done (security problem with drupal)

Debian Bug Tracking System owner at bugs.debian.org
Fri Jul 1 16:49:42 UTC 2005

Your message dated Fri, 01 Jul 2005 12:02:27 -0400
with message-id <E1DoNyF-0001pM-00 at newraff.debian.org>
and subject line Bug#316362: fixed in drupal 4.5.4-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

Received: (at submit) by bugs.debian.org; 30 Jun 2005 12:34:00 +0000
>From villain at ems.ru Thu Jun 30 05:34:00 2005
Return-path: <villain at ems.ru>
Received: from router.ems.ru (relay-suttk.ems.ru) [] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DnyEy-0004zm-00; Thu, 30 Jun 2005 05:34:00 -0700
Received: from mail.ems.ru (localhost [])
	by mail.ems.ru (postfix) with ESMTP id 125C31AA68A
	for <submit at bugs.debian.org>; Thu, 30 Jun 2005 18:33:59 +0600 (YEKST)
Received: from support.office.ems.chel.su (unknown [])
	by mail.ems.ru (postfix) with ESMTP
	for <submit at bugs.debian.org>; Thu, 30 Jun 2005 18:33:59 +0600 (YEKST)
Received: by support.office.ems.chel.su (Postfix, from userid 1000)
	id C0EA22C56D; Thu, 30 Jun 2005 18:33:55 +0600 (YEKST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Aleksey I Zavilohin <villain at ems.ru>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: security problem with drupal
X-Mailer: reportbug 3.8
Date: Thu, 30 Jun 2005 18:33:55 +0600
Message-Id: <20050630123355.C0EA22C56D at support.office.ems.chel.su>
X-Virus-Scanned: ClamAV using ClamSMTP
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

Package: drupal
Version: 4.5.3-2
Severity: grave
Justification: user security hole

See http://drupal.org/files/sa-2005-002/advisory.txt

Drupal security advisory                                  DRUPAL-SA-2005-002
Advisory ID:    DRUPAL-SA-2005-002
Date:           2005-jun-29
Security risk:  highly critical
Impact:         system access
Where:          from remote
Vulnerability:  arbitrary PHP code execution

Kuba Zygmunt discovered a flaw in the input validation routines of Drupal's
filter mechanism.  An attacker could execute arbitrary PHP code on a target 
site when public comments or postings are allowed.

Versions affected
Drupal 4.5.0, 4.5.1, 4.5.2, 4.5.3
Drupal 4.6.0, 4.6.1

Either disable public comments and postings, or upgrade to the latest Drupal
- If you cannot upgrade immediately, you can secure your site by disabling
  public postings and comments.  Log in as an administrator, go to
  "administer >> access control" and make sure that untrusted roles don't
  have the permissions to submit or edit content.
- If you are running Drupal 4.5.x, then upgrade to Drupal 4.5.4.
- If you are running Drupal 4.6.x, then upgrade to Drupal 4.6.2.

The security contact for Drupal can be reached at security at drupal.org 
or using the form at http://drupal.org/contact.

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R)

Versions of packages drupal depends on:
ii  apache                       1.3.33-6    versatile, high-performance HTTP s
ii  debconf               Debian configuration management sy
ii  makepasswd                   1.10-2      Generate and encrypt passwords
ii  mysql-client-4.1 [mysql-clie 4.1.11a-4   mysql database client binaries
ii  php4-cli                     4:4.3.10-15 command-line interpreter for the p
ii  php4-mysql                   4:4.3.10-15 MySQL module for php4
ii  postfix [mail-transport-agen 2.1.5-9     A high-performance mail transport 
ii  wwwconfig-common             0.0.43      Debian web auto configuration

-- debconf information excluded

Received: (at 316362-close) by bugs.debian.org; 1 Jul 2005 16:08:05 +0000
>From katie at ftp-master.debian.org Fri Jul 01 09:08:05 2005
Return-path: <katie at ftp-master.debian.org>
Received: from newraff.debian.org [] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DoO3g-0006Tk-00; Fri, 01 Jul 2005 09:08:05 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1DoNyF-0001pM-00; Fri, 01 Jul 2005 12:02:27 -0400
From: Hilko Bengen <bengen at debian.org>
To: 316362-close at bugs.debian.org
X-Katie: $Revision: 1.56 $
Subject: Bug#316362: fixed in drupal 4.5.4-1
Message-Id: <E1DoNyF-0001pM-00 at newraff.debian.org>
Sender: Archive Administrator <katie at ftp-master.debian.org>
Date: Fri, 01 Jul 2005 12:02:27 -0400
Delivered-To: 316362-close at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

Source: drupal
Source-Version: 4.5.4-1

We believe that the bug you reported is fixed in the latest version of
drupal, which is due to be installed in the Debian FTP archive:

  to pool/main/d/drupal/drupal_4.5.4-1.diff.gz
  to pool/main/d/drupal/drupal_4.5.4-1.dsc
  to pool/main/d/drupal/drupal_4.5.4-1_all.deb
  to pool/main/d/drupal/drupal_4.5.4.orig.tar.gz

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 316362 at bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Hilko Bengen <bengen at debian.org> (supplier of updated drupal package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster at debian.org)

Hash: SHA1

Format: 1.7
Date: Fri,  1 Jul 2005 17:27:59 +0200
Source: drupal
Binary: drupal
Architecture: source all
Version: 4.5.4-1
Distribution: unstable
Urgency: high
Maintainer: Hilko Bengen <bengen at debian.org>
Changed-By: Hilko Bengen <bengen at debian.org>
 drupal     - fully-featured content management/discussion engine
Closes: 313449 313702 315869 316362
 drupal (4.5.4-1) unstable; urgency=HIGH
   * New upstream version (Closes: #316362)
     - Fixes two serious security bugs
       (see http://drupal.org/files/sa-2005-002/advisory.txt
        and http://drupal.org/files/sa-2005-003/advisory.txt)
   * README.Debian now mentions that the site-wide configuration files are
     to be found in /etc/drupal (Closes: #313449)
   * [Jens Seidel <jensseidel at users.sf.net>] Corrected minor typos in
     German Debconf translation (Closes: #313702)
   * [Miroslav Kure <kurem at upcase.inf.upol.cz>] Added Czech Debconf
     translation (Closes: #315869)
 a8c9a11230369f6fad46e91b8b1d4306 609 web extra drupal_4.5.4-1.dsc
 53f8c8a65a02b5328945d6bade47691c 472270 web extra drupal_4.5.4.orig.tar.gz
 70a127c9abf132e95c93fe3776e7828c 42560 web extra drupal_4.5.4-1.diff.gz
 4578b3442f901b012409d1e5a72b1206 488206 web extra drupal_4.5.4-1_all.deb

Version: GnuPG v1.4.1 (GNU/Linux)


More information about the drupal-devel mailing list