According to GulfTech advisory Drupal is also affected.
Fixed version 4.6.2 is out.
This is a quite important security bug on drupal. I can assure you that script kiddies can change your drupal main page with just move a finger. We are spending too much time to solve it so i would like to contribute. Next attachements are: - drupal-4.6.2.ebuild - files/postinstall-en-4.6.txt (since instructions are a bit out-of-date now) Guys, you can make an simple diff to see what i've changed. Works for me in x86. Please, test and solve it as soon as you have time. Thanks.
Created attachment 62676 [details] drupal-4.6.2.ebuild New drupal-4.6.2.ebuild
Created attachment 62677 [details] files/postinstall-en-4.6.txt New files/postinstall-en-4.6.txt
st_lim@gentoo.org has beaten us both to it. He's bumped drupal, and removed the older versions. Best regards, Stu
Ok, we have now 4.6.2 ebuild on the tree which solved this security issue. One more note: If we are going to keep in the tree the two drupal branches (4.6.x and 4.5.x). which is a good idea since upstream is maintaining both, we need to update our 4.5.x to the new version 4.5.4. Currently, we have in portage 4.5.2 version which is affected by this (and others) bugs. Thanks st_lim and Stuart. P.D: we still need to update postinstall instructions. maybe open another bug for this woulb be better?
As far as security is concerned, since drupal is not SLOTted, the provided fixed version is sufficient. Feel free to apply the fix to the other versions so that our users have more choice (otherwise you should probably remove the old affected version). I'm closing the security bug (no GLSA, package was always ~). Feel free to reopen it and reassign it to web-apps if you want to further work on it (or create another one).