drupal-6.27 fixes vulnerability Maintenance and security release of the Drupal 6 series. This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement: SA-CORE-2012-004 - Drupal core - Multiple vulnerabilities No other fixes are included. Reproducible: Always
This issue is also on Drupal 7 so both need version bumps.
CVE-2012-5653 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5653): The file upload feature in Drupal 6.x before 6.27 and 7.x before 7.18 allows remote authenticated users to bypass the protection mechanism and execute arbitrary PHP code via a null byte in a file name. CVE-2012-5652 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5652): Drupal 6.x before 6.27 allows remote attackers to obtain sensitive information about uploaded files via a (1) RSS feed or (2) search result. CVE-2012-5651 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5651): Drupal 6.x before 6.27 and 7.x before 7.18 displays information for blocked users, which might allow remote attackers to obtain sensitive information by reading the search results.
I copied the drupal-7.17.ebuild into local overlay as drupal-7.18.ebuild and emerged the drupal-7.18. No issues with 7.18 so far.
6.27 and 7.18 added to CVS, old versions removed.
When will this make it into portage? I just had a drupal-7.17 hacked! -- Regards,
(In reply to comment #4) > 6.27 and 7.18 added to CVS, old versions removed. Thanks, Tim! Closing noglsa for ~arch only.