As published per e-mail on secutiy-news@drupal.org mailing list [1], both Drupal version 6 and 7 have multiple vulnerabilities. Drupal 5, which is still available in portage, is not commented on, but on the website is stated "Drupal 5 will no longer be maintained when Drupal 7 is released." [2] [1] http://lists.drupal.org/pipermail/security-news/2011-May/000256.html [2] http://drupal.org/node/3060/release?api_version[]=78 Please handle accordingly :)
Thanks for the report, Tom. From $URL: * Advisory ID: DRUPAL-SA-CORE-2011-001 * Project: Drupal core [1] * Version: 6.x, 7.x * Date: 2011-May-25 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass, Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Multiple vulnerabilities and weaknesses were discovered in Drupal. .... Reflected cross site scripting vulnerability in error handler A reflected cross site scripting vulnerability was discovered in Drupal's error handler. Drupal displays PHP errors in the messages area, and a specially crafted URL can cause malicious scripts to be injected into the message. The issue can be mitigated by disabling on-screen error display at admin/settings/error-reporting. This is the recommended setting for production sites. This issue affects Drupal 6.x only. .... Cross site scripting vulnerability in Color module When using re-colorable themes, color inputs are not sanitized. Malicious color values can be used to insert arbitrary CSS and script code. Successful exploitation requires the "Administer themes" permission. This issue affects Drupal 6.x and 7.x. .... Access bypass in File module When using private files in combination with a node access module, the File module allows unrestricted access to private files. This issue affects Drupal 7.x only. -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal 7.x before version 7.1. * Drupal 6.x before version 6.21.
Fixed packages are in the tree. Closing noglsa.
