151993 – www-apps/drupal: Drupal 4.6.10 and Drupal 4.7.4 fix three security vulnerabilities.

Bug 151993 - www-apps/drupal: Drupal 4.6.10 and Drupal 4.7.4 fix three security vulnerabilities.

Summary: www-apps/drupal: Drupal 4.6.10 and Drupal 4.7.4 fix three security vulnerabil...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High enhancement (vote)
Assignee:	Gentoo Security

URL:	http://drupal.org/drupal-4.7.4
Whiteboard:	~4 [noglsa] vorlon
Keywords:

Depends on:
Blocks:

Reported:	2006-10-19 11:44 UTC by Matthias Geerdsen (RETIRED)
Modified:	2006-11-28 07:14 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
ebuild drupal-4.6.10 (drupal-4.6.10.ebuild,3.13 KB, text/plain) 2006-10-30 08:14 UTC, Emanuele Gentili	no flags	Details
ebuild drupal-4.7.4 (drupal-4.7.4.ebuild,3.13 KB, text/plain) 2006-10-30 08:14 UTC, Emanuele Gentili	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthias Geerdsen (RETIRED) gentoo-dev

2006-10-19 11:44:06 UTC

http://drupal.org/files/sa-2006-024/advisory.txt: 
Project:          Drupal core
Date:             2006-Oct-18
Security risk:    Moderately critical
Exploitable from: Remote
Vulnerability:    Cross site scripting

http://drupal.org/files/sa-2006-025/advisory.txt :
Project:          Drupal core
Date:             2006-Oct-18
Security risk:    Highly critical
Exploitable from: Remote
Vulnerability:    Cross site request forgeries

http://drupal.org/files/sa-2006-026/advisory.txt :
Project:          Drupal core
Date:             2006-Oct-18
Security risk:    Less critical
Exploitable from: Remote
Vulnerability:    HTML attribute injection

Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev

2006-10-19 11:44:39 UTC

web-apps, pls bump

Comment 2 Emanuele Gentili 2006-10-30 08:14:17 UTC

Created attachment 100799 [details]
ebuild drupal-4.6.10

Comment 3 Emanuele Gentili 2006-10-30 08:14:53 UTC

Created attachment 100800 [details]
ebuild drupal-4.7.4

Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev

2006-11-23 13:44:18 UTC

/me watches his nick magically appear in status whitboard....

CC'ing dev

st_lim, pls provide an updated ebuild

Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev

2006-11-27 07:03:43 UTC

ok, I only just noticed that drupal is p.masked anyways (bug 98524)

given this little attention to it, one might consider removing it though!?

<quote>
# Christel Dahlskjaer <christel@gentoo.org> (09 Sep 2006)
# Serious QA issues; see bug #98524
www-apps/drupal
</quote>

Comment 6 Wolf Giesen (RETIRED) gentoo-dev

2006-11-27 23:51:15 UTC

Yes, one might consider that ^_^

Comment 7 Stuart Herbert (RETIRED) gentoo-dev

2006-11-28 06:20:38 UTC

Last I heard, Roy had agreed to take over maintenance of Drupal.

Best regards,
Stu

Comment 8 Roy Marples (RETIRED) gentoo-dev

2006-11-28 06:59:58 UTC

I said once someone retired st_lim or he left. ;)

At this point I'm saying "**** it" and I've put 4.7.4 in portage.
The old ebuilds have been removed and drupal has been removed from package.mask too.

Comment 9 Stuart Herbert (RETIRED) gentoo-dev

2006-11-28 07:13:40 UTC

Thanks Roy.

Best regards,
Stu

Comment 10 Stefan Cornelius (RETIRED) gentoo-dev

2006-11-28 07:14:53 UTC

thanks a lot!

I think this bug can be closed then, feel free to reopen if i missed something.