Accepted: drupal 5.1-0ubuntu2.2 (source)

Ubuntu Installer archive at ubuntu.com
Mon Nov 26 21:55:20 GMT 2007 

Accepted:
 OK: drupal_5.1.orig.tar.gz
 OK: drupal_5.1-0ubuntu2.2.diff.gz
 OK: drupal_5.1-0ubuntu2.2.dsc
     -> Component: universe Section: web

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 13 Nov 2007 10:39:28 +0100
Source: drupal
Binary: drupal-5.1
Architecture: source
Version: 5.1-0ubuntu2.2
Distribution: feisty-security
Urgency: low
Maintainer: Ubuntu MOTU Developers <ubuntu-motu at lists.ubuntu.com>
Changed-By: Stephan Hermann <sh at sourcecode.de>
Description: 
 drupal-5.1 - a fully-featured content management framework
Changes: 
 drupal (5.1-0ubuntu2.2) feisty-security; urgency=low
 .
   * SECURITY UPDATE:
     Drupal 5.1 and 5.2 having several security issues, these are:
     + CVE-2007-5593: install.php in Drupal 5.x before 5.3,
       when the configured database server is not reachable,
       allows remote attackers to execute arbitrary code via
       vectors that cause settings.php to be modified.
     + CVE-2007-5594: Drupal 5.x before 5.3 does not apply its
       Drupal Forms API protection against the user deletion form,
       which allows remote attackers to delete users via a cross-site
       request forgery (CSRF) attack.
     + CVE-2007-5595: CRLF injection vulnerability in the drupal_goto
       function in includes/common.inc Drupal 4.7.x before 4.7.8
       and 5.x before 5.3 allows remote attackers to inject arbitrary
       HTTP headers and conduct HTTP response splitting attacks via
       unspecified vectors.
     + CVE-2007-5596: The core Upload module in Drupal 4.7.x
       before 4.7.8 and 5.x before 5.3 places the .html extension
       on a whitelist, which allows remote attackers to conduct
       cross-site scripting (XSS) attacks by uploading .html files.
     + CVE-2007-5597: The hook_comments API in Drupal 4.7.x before 4.7.8
       and 5.x before 5.3 does not pass publication status, which might
       allow attackers to bypass access restrictions and trigger e-mail
       with unpublished comments from some modules, as demonstrated by
       (1) Organic groups and (2) Subscriptions.
   * debian/patches/23_SA-2007-025-5.2.dpatch:
     - Applied fix from upstream
       (http://drupal.org/files/sa-2007-025/SA-2007-025-5.2.patch)
   * debian/patches/25_SA-2007-029-5.2.dpatch:
     - Applied fix from upstream
       (http://drupal.org/files/sa-2007-029/SA-2007-029-5.2.patch)
   * debian/patches/22_SA-2007-024-5.2.dpatch:
     - Applied fix from upstream
       (http://drupal.org/files/sa-2007-024/SA-2007-024-5.2.patch)
   * debian/patches/24_SA-2007-026-5.2.dpatch:
     - Applied fix from upstream
       (http://drupal.org/files/sa-2007-026/SA-2007-026-5.2.patch)
   * debian/patches/26_SA-2007-030-5.2.dpatch:
     - Applied fix from upstream
       (http://drupal.org/files/sa-2007-030/SA-2007-030-5.2.patch)
   * References:
     CVE-2007-5593
     CVE-2007-5594
     CVE-2007-5595
     CVE-2007-5596
     CVE-2007-5597
Files: 
 1e664e5deb9c0743f8c9279b8674171f 660 web extra drupal_5.1-0ubuntu2.2.dsc
 82d56f64f72a57053de4572cee19effc 36418 web extra drupal_5.1-0ubuntu2.2.diff.gz
Original-Maintainer: Luigi Gangitano <luigi at debian.org>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHSx/gH/9LqRcGPm0RArkUAJ9E+WPrPYJmKeXkrFKxUozov6PGUQCeIeZe
/PuDIxEF8jq+Vr9Im+cRMAU=
=2lw2
-----END PGP SIGNATURE-----

More information about the feisty-changes mailing list