Your message dated Tue, 30 Aug 2005 13:32:06 -0700
with message-id <[EMAIL PROTECTED]>
and subject line [drupal-devel] Bug#323347: Another XMLRPC issue in drupal
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 16 Aug 2005 07:45:40 +0000
>From [EMAIL PROTECTED] Tue Aug 16 00:45:40 2005
Return-path: <[EMAIL PROTECTED]>
Received: from (vserver151.vserver151.serverflex.de) [193.22.164.111]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1E4w8i-0006YE-00; Tue, 16 Aug 2005 00:45:40 -0700
Received: from wlan-client-006.informatik.uni-bremen.de ([134.102.116.7]
helo=localhost.localdomain)
by vserver151.vserver151.serverflex.de with esmtpsa
(TLS-1.0:RSA_AES_256_CBC_SHA:32)
(Exim 4.50)
id 1E4w8d-0003On-Fy
for [EMAIL PROTECTED]; Tue, 16 Aug 2005 09:45:35 +0200
Received: from jmm by localhost.localdomain with local (Exim 4.52)
id 1E4w91-0001RT-E0; Tue, 16 Aug 2005 09:45:59 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: Another XMLRPC issue in drupal
X-Mailer: reportbug 3.15
Date: Tue, 16 Aug 2005 09:45:59 +0200
Message-Id: <[EMAIL PROTECTED]>
X-SA-Exim-Connect-IP: 134.102.116.7
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond
expanded to false
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Package: drupal
Severity: grave
Tags: security
Justification: user security hole
[I'm pretty sure you are already aware of it; but here it is anyway]
Another XMLRPC vulnerability has been detected that affects Drupal
as well. Please see http://www.hardened-php.net/advisory_142005.66.html
for information about the issue in general.
The new upstream release 4.5.4 resolves this issue.
Cheers,
Moritz
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-rc5
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
---------------------------------------
Received: (at 323347-done) by bugs.debian.org; 30 Aug 2005 20:32:08 +0000
>From [EMAIL PROTECTED] Tue Aug 30 13:32:07 2005
Return-path: <[EMAIL PROTECTED]>
Received: from dsl093-039-086.pdx1.dsl.speakeasy.net (tennyson.netexpress.net)
[66.93.39.86]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EACm7-0002fJ-00; Tue, 30 Aug 2005 13:32:07 -0700
Received: by tennyson.netexpress.net (Postfix, from userid 1003)
id C79FC7049; Tue, 30 Aug 2005 13:32:06 -0700 (PDT)
Date: Tue, 30 Aug 2005 13:32:06 -0700
From: Steve Langasek <[EMAIL PROTECTED]>
To: Karoly Negyesi <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: [drupal-devel] Bug#323347: Another XMLRPC issue in drupal
Message-ID: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL
PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="f+W+jCU1fRNres8c"
Content-Disposition: inline
In-Reply-To: <[EMAIL PROTECTED]>
User-Agent: Mutt/1.5.9i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
--f+W+jCU1fRNres8c
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Version: 4.5.5-1
On Tue, Aug 30, 2005 at 10:17:18PM +0200, Karoly Negyesi wrote:
> >>> The new upstream release 4.5.4 resolves this issue.
> >
> >If the bugs are fixed in the current version then they should be closed
> >*now*, not waiting until the next upload.
> Version 4.5.5 (and 4.6.3) does not have an XML-RPC security hole to our =
=20
> best knowledge.
Then I'm closing this bug, so that we can get the security-fixed version
of drupal into testing today.
Thanks,
--=20
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
[EMAIL PROTECTED] http://www.debian.org/
--f+W+jCU1fRNres8c
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDFMJGKN6ufymYLloRAggQAKCBsQ8e0v+e2zB9RP8djgAHJ3cJcACgsWow
K7HtBxeu6DEuipJ+yvjkoVM=
=GkcP
-----END PGP SIGNATURE-----
--f+W+jCU1fRNres8c--
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
