Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 285916

Summary: Drupal www-apps/drupal-{<5.20, <6.14} - Drupal Core, Multiple vulnerabilities
Product: Gentoo Security Reporter: Adam Horner <adam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: adam, alex, blshadow, mryoung, ole+gentoo, stuart, yaleks
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://drupal.org/node/579482
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
Ebuild for drupal-6.14 none

Description Adam Horner 2009-09-22 08:47:19 UTC
Multiple vulnerabilities and weaknesses were discovered in Drupal.
<6.14
OpenID association cross site request forgeries
OpenID impersonation
File upload
<5.20
Session fixation

Reproducible: Didn't try

Steps to Reproduce:
Comment 1 Sergey Morozov 2009-09-28 09:35:22 UTC
Created attachment 205449 [details]
Ebuild for drupal-6.14
Comment 2 Alexandre Ghisoli 2009-09-28 19:21:43 UTC
The security risk is flagged as critical on Drupal Security Advisory :

    * Advisory ID: DRUPAL-SA-CORE-2009-008
    * Project: Drupal core
    * Version: 5.x, 6.x
    * Date: 2009-September-16
    * Security risk: Critical
    * Exploitable from: Remote
    * Vulnerability: Multiple vulnerabilities
Comment 3 Peter Volkov (RETIRED) gentoo-dev 2009-10-11 16:26:01 UTC
both bumped. Thank you guys.

package never been stable.
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2009-10-11 16:45:46 UTC
Closing noglsa.