Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 94927 - www-apps/drupal: Privilege System Administrative Access
Summary: www-apps/drupal: Privilege System Administrative Access
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Other
: High trivial (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/15372/
Whiteboard: ~? [noglsa] formula7
Keywords:
Depends on:
Blocks:
 
Reported: 2005-06-03 07:29 UTC by Jean-François Brunette (RETIRED)
Modified: 2006-11-04 13:55 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jean-François Brunette (RETIRED) gentoo-dev 2005-06-03 07:29:49 UTC 
Description:
A vulnerability has been reported in Drupal, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to an input validation error in the privilege system and can be exploited to gain administrative privileges.

Successful exploitation requires that the "Public registrations" option has been enabled.

The vulnerability has been reported in versions 4.4.0, 4.4.1, 4.4.2, 4.5.0, 4.5.1, 4.5.2 and 4.6.0.

Solution:
Update to version 4.4.3, 4.5.3, or 4.6.1.
http://drupal.org/project
Comment 1 Jean-François Brunette (RETIRED) gentoo-dev 2005-06-03 07:36:54 UTC 
st_lim please bump
Comment 2 Jean-François Brunette (RETIRED) gentoo-dev 2005-06-07 11:09:31 UTC 
web-apps please bump
Comment 3 Lim Swee Tat (RETIRED) gentoo-dev 2005-06-16 00:32:37 UTC 
Hi,
  Sorry, was away in France for a holiday.  Just back.  Bumping... Should see in
CVS soon.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-06-16 01:33:24 UTC 
Can't see the update on CVS yet...

st_lim: please keep the bug open, we'll close it when we're done. Comment when
the bump is committed.
Comment 5 Jean-François Brunette (RETIRED) gentoo-dev 2005-06-16 07:13:04 UTC 
4.6.1 is in portage
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-06-16 08:44:43 UTC 
alpha: please test and mark ~alpha if possible...
Comment 7 Fernando J. Pereda (RETIRED) gentoo-dev 2005-06-16 09:25:39 UTC 
drupal re-keyworded. st_lim please next time follow the keywording policy. If
you think the new drupal version may not work on alpha for some reason file us a
bug and we'll take care of it. But _NEVER_ drop a keyword without explaining us why.

Cheers,
Ferdy
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-06-16 09:46:07 UTC 
Then we're done.