Drupal security advisory DRUPAL-SA-2006-011 ------------------------------------------------------------------------ ---- Advisory ID: DRUPAL-SA-2006-011 Project: Drupal core Date: 2006-Aug-02 Security risk: less critical Impact: Drupal 4.6, Drupal 4.7 Where: from remote Vulnerability: cross-site scripting ------------------------------------------------------------------------ ---- Description ----------- A malicious user can execute a cross site scripting attack by enticing someone to visit a Drupal site via a specially crafted link. Versions affected ----------------- - Drupal 4.6.x versions before Drupal 4.6.9 - Drupal 4.7.x versions before Drupal 4.7.3 Solution -------- If you are running Drupal 4.6.x then upgrade to Drupal 4.6.9 (http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.9.tar.gz). If you are running Drupal 4.7.x then upgrade to Drupal 4.7.3 (http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.3.tar.gz). To patch Drupal 4.6.8 use http://drupal.org/files/sa-2006-011/4.6.8.patch. To patch Drupal 4.7.2 use http://drupal.org/files/sa-2006-011/4.7.2.patch. Reported By ----------- Ayman Hourieh Note about Drupal 4.7.3 and custom themes or JavaScript ------------------------------------------------------- A bug in the form API theme layer made it possible to have an ID occur more than once in a page. This invalidates the HTML, makes styling with CSS hard or impossible, and can break JavaScript. A patch was committed to ensure unique IDs. This patch has a side-effect that IDs for hidden form fields in your site's HTML will change. You might need to adapt your custom CSS or JavaScript, if it refers to such a changed ID. Contact ------- The security contact for Drupal can be reached at security (at) drupal (dot) org [email concealed] or using the form at http://drupal.org/contact. More information is available from http://drupal.org/security or from our security RSS feed http://drupal.org/security/rss.xml. // Uwe Hermann, on behalf of the Drupal Security Team. -- Uwe Hermann http://www.hermann-uwe.de http://www.it-services-uh.de | http://www.crazy-hacks.org http://www.holsham-traders.de | http://www.unmaintained-free-software.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Rgds Daxomatic
Hmm, B4 ... was there as stable version, ever?
www-apps, please bump to 4.6.9 / 4.7.3
18 days since security advisory, no gentoo GLSA, no updated ebuild for a critical webapplication. Not good, really, not good !
please don't blame us for your using an ~arched ebuild. We're still in our target delays according to the policy [1] : Trivial C4, ~0, ~1, ~2, ~3, ~4 40 days no There will be no glsa for this one, don't wait for it :) [1] http://www.gentoo.org/security/en/vulnerability-policy.xml
I talked to Stuart and will bump drupal in the few next hours.
(In reply to comment #2) > please bump to 4.6.9 / 4.7.3 done.
Thanks Tobias & Stuart, let's close it now :)
(In reply to comment #4) > please don't blame us for your using an ~arched ebuild. > > We're still in our target delays according to the policy [1] : > Trivial C4, ~0, ~1, ~2, ~3, ~4 40 days no > > There will be no glsa for this one, don't wait for it :) > > [1] http://www.gentoo.org/security/en/vulnerability-policy.xml > Thanks for your post ! I just remember the vlunerability policy stuff now, thanks for pointing that out. That said, Drupal is large deployement by now, and we (drupal users) need support to keep an up to date release, since website are mission critical. I really understand that a non-stable package will not get full time job to resolve ussue, but patched versions are needed (in fact, we had overlays for this ....) Anyway, thanks for your fast and quality support ;)
> Anyway, thanks for your fast and quality support ;) > Thanks to the maintainers and to the arches team ! BTW, you can try to fill a stabilization request if you want drupal to be stabilized.
