-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2009-9754 2009-09-18 23:22:46 --------------------------------------------------------------------------------
Name : drupal-date Product : Fedora 10 Version : 6.x.2.4 Release : 0.fc10 URL : http://drupal.org/project/date Summary : This package contains both the Date module and a Date API module Description : The Date API is available to be used by other modules and is not dependent on having CCK installed. The date module is a flexible date/time field type for the cck content module which requires the CCK content.module and the Date API module. -------------------------------------------------------------------------------- Update Information: * Advisory ID: DRUPAL-SA-CONTRIB-2009-057 ( http://drupal.org/node/579144 ) * Project: Date (third-party module) * Version: 5.x, 6.x * Date: 2009-September-16 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Date module provides a date CCK field that can be added to any content type. The Date module does not properly escape user data correctly in some cases when setting the page title. A malicious user with permission to post date content could attempt a cross site scripting [1] (XSS) attack when creating or editing content, leading to the user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * Date for Drupal 6.x prior to 6.x-2.4 * Date for Drupal 6.x prior to 5.x-2.8 Drupal core is not affected. If you do not use the contributed Date module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Date for Drupal 6.x upgrade to Date 6.x-2.4 [2] * If you use Date for Drupal 5.x upgrade to Date 5.x-2.8 [3] See also the Date project page [4]. -------- REPORTED BY --------------------------------------------------------- The Acquia, Inc. support team -------- FIXED BY ------------------------------------------------------------ Karen Stevenson [5], the project maintainer. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross- site_scripting [2] http://drupal.org/node/579000 [3] http://drupal.org/node/578998 [4] http://drupal.org/project/date [5] http://drupal.org/user/45874 -------------------------------------------------------------------------------- ChangeLog: * Wed Sep 16 2009 Jon Ciesla <[email protected]> - 6.x.2.4-0 - Update to new version. - Fix for DRUPAL-SA-CONTRIB-2009-057. * Wed Jul 29 2009 Jon Ciesla <[email protected]> - 6.x.2.3-0 - Update to new version. - Fix for DRUPAL-SA-CONTRIB-2009-046. * Fri Jul 24 2009 Fedora Release Engineering <[email protected]> - 6.x.2.0-2.rc4.2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild * Tue Feb 24 2009 Fedora Release Engineering <[email protected]> - 6.x.2.0-2.rc4.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild * Tue Nov 4 2008 Jon Ciesla <[email protected]> - 6.x.2.0-2.rc4 - Update to new version. -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update drupal-date' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at http://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ Fedora-package-announce mailing list [email protected] http://www.redhat.com/mailman/listinfo/fedora-package-announce
