Comment 1 Alex Legler (RETIRED) 2010-03-05 12:35:47 UTC

http://drupal.org/node/731710 -- SA-CORE-2010-001

 * Installation cross site scripting (6.x only)
A user-supplied value is directly output during installation allowing a malicious user to craft a URL and perform a cross-site scripting attack. The exploit can only be conducted on sites not yet installed.

 * Open redirection (5.x and 6.x)
The API function drupal_goto() is susceptible to a phishing attack. An attacker could formulate a redirect in a way that gets the Drupal site to send the user to an arbitrarily provided URL. No user submitted data will be sent to that URL.

 * Locale module cross site scripting (5.x and 6.x) (CVE-2009-4371)
Locale module and dependent contributed modules do not sanitize the display of language codes, native and English language names properly…

-> bug 300199

 * Blocked user session regeneration (5.x and 6.x)
Under certain circumstances, a user with an open session that is blocked can maintain his/her session on the Drupal site, despite being blocked.

Comment 2 Alex Legler (RETIRED) 2010-03-05 13:06:46 UTC

Closing noglsa.

+*drupal-6.16 (05 Mar 2010)
+*drupal-5.22 (05 Mar 2010)
+
+  05 Mar 2010; Alex Legler <a3li@gentoo.org> -drupal-5.21.ebuild,
+  +drupal-5.22.ebuild, -drupal-6.15.ebuild, +drupal-6.16.ebuild,
+  files/postinstall-en.txt:
+  Non-maintainer commit: Version bumps for security bugs 307811, 300199,
+  238571.
+

Comment 3 Alex Legler (RETIRED) 2010-03-07 13:56:54 UTC

*** Bug 308225 has been marked as a duplicate of this bug. ***