Your message dated Fri, 24 Aug 2007 18:38:59 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Bug#439379: CVE-2007-4436: permission problem
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: drupal
Severity: normal
Hi
There has been a CVE[0] issued again drupal. Could you please
investigate, whether the debian versions are affected?
The CVE text states:
The Drupal Project module before 5.x-1.0, 4.7.x-2.3, and 4.7.x-1.3 and
Project issue tracking module before 5.x-1.0, 4.7.x-2.4, and 4.7.x-1.4
does not properly enforce permissions, which allows remote attackers to
(1) obtain sensitive via the Tracker Module and the Recent posts page;
(2) obtain project names via unspecified vectors; (3) obtain sensitive
information via the statistics pages; and (4) read CVS project activity.
Thanks for your efforts.
Cheers
Steffen
[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4436
--- End Message ---
--- Begin Message ---
Hi Steffen,
the Drupal Project module is a third-party module not included in
Debian drupal packages so Debian is not affected by default and a
security update is not needed.
Ragards,
L
--
Luigi Gangitano -- <[EMAIL PROTECTED]> -- <[EMAIL PROTECTED]>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26
--- End Message ---
