Your message dated Sun, 19 May 2013 16:37:33 +0000
with message-id <e1ue6c1-0005ng...@franck.debian.org>
and subject line Bug#708746: Removed package(s) from unstable
has caused the Debian Bug report #696343,
regarding [drupal6] SA-CORE-2012-004 - Drupal core - Multiple vulnerabilities
in Drupal 6 & 7
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
696343: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696343
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: drupal6
Severity: critical
Tags: security
X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org
--- Please enter the report below this line. ---
Hi!
There's a security update for Drupal6 and Drupal7 available:
http://drupal.org/SA-CORE-2012-004
Multiple vulnerabilities were fixed in the supported Drupal core
versions 6 and 7.
Access bypass (User module search - Drupal 6 and 7)
A vulnerability was identified that allows blocked users to appear in
user search results, even when the search results are viewed by
unprivileged users.
This vulnerability is mitigated by the fact that the default Drupal core
user search results only display usernames (and disclosure of usernames
is not considered a security vulnerability). However, since modules or
themes may override the search results to display more information from
each user's profile, this could result in additional information about
blocked users being disclosed on some sites.
CVE: Requested.
Access bypass (Upload module - Drupal 6)
A vulnerability was identified that allows information about uploaded
files to be displayed in RSS feeds and search results to users that do
not have the "view uploaded files" permission.
This issue affects Drupal 6 only.
CVE: Requested.
Arbitrary PHP code execution (File upload modules - Drupal 6 and 7)
Drupal core's file upload feature blocks the upload of many files that
can be executed on the server by munging the filename. A malicious user
could name a file in a manner that bypasses this munging of the filename
in Drupal's input validation.
This vulnerability is mitigated by several factors: The attacker would
need the permission to upload a file to the server. Certain combinations
of PHP and filesystems are not vulnerable to this issue, though we did
not perform an exhaustive review of the supported PHP versions. Finally:
the server would need to allow execution of files in the uploads
directory. Drupal core has protected against this with a .htaccess file
protection in place from SA-2006-006 - Drupal Core - Execution of
arbitrary files in certain Apache configurations. Users of IIS should
consider updating their web.config. Users of Nginx should confirm that
only the index.php and other known good scripts are executable. Users of
other webservers should review their configuration to ensure the goals
are achieved in some other way.
CVE: Requested.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in
accordance with Drupal Security Team processes.
Versions affected
Drupal core 6.x versions prior to 6.27.
Drupal core 7.x versions prior to 7.18.
Solution
Install the latest version:
If you use Drupal 6.x, upgrade to Drupal core 6.27.
If you use Drupal 7.x, upgrade to Drupal core 7.18.
--- System information. ---
Architecture: amd64
Kernel: Linux 3.2.0-4-amd64
Debian Release: 7.0
500 unstable www.deb-multimedia.org
500 unstable ftp.de.debian.org
1 experimental ftp.de.debian.org
--- Package information. ---
Package's Depends field is empty.
Package's Recommends field is empty.
Package's Suggests field is empty.
--
Ciao... // Fon: 0381-2744150
Ingo \X/ http://blog.windfluechter.net
Please don't share this address with Facebook or Google!
gpg pubkey: http://www.juergensmann.de/ij_public_key.asc
--- End Message ---
--- Begin Message ---
Version: 6.26-1.1+rm
Dear submitter,
as the package drupal6 has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see http://bugs.debian.org/708746
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@debian.org.
Debian distribution maintenance software
pp.
Alexander Reichle-Schmehl (the ftpmaster behind the curtain)
--- End Message ---
