Package: drupal5 Version: 5.10-1 Severity: grave Tags: security Justification: user security hole
New upstream version 5.12 includes the fixes for two security-related bugs: One is that Drupal currently can include files outside its root, leading to arbitrary code execution under specific configurations; the other bug (much more likely to be an issue to the public) is a XSS vuln on the 'book' module. Re: SA-2008-067 -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (900, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-6-686 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages drupal5 depends on: ii apache [httpd] 1.3.34-4.1+etch1 versatile, high-performance HTTP s ii apache2 2.2.3-4+etch5 Next generation, scalable, extenda ii apache2-mpm-prefork [ht 2.2.3-4+etch5 Traditional model for Apache HTTPD ii curl 7.15.5-1etch1 Get a file from an HTTP, HTTPS, FT ii dbconfig-common 1.8.29+etch1 common framework for packaging dat ii debconf 1.5.11etch2 Debian configuration management sy ii mysql-client-5.0 [mysql 5.0.32-7etch6 mysql database client binaries ii php5 5.2.0-8+etch13 server-side, HTML-embedded scripti ii php5-gd 5.2.0-8+etch13 GD module for php5 ii php5-mysql 5.2.0-8+etch13 MySQL module for php5 ii php5-pgsql 5.2.0-8+etch13 PostgreSQL module for php5 ii postfix [mail-transport 2.5.5-1~bpo40+1 High-performance mail transport ag ii wwwconfig-common 0.0.48 Debian web auto configuration Versions of packages drupal5 recommends: ii mysql-server-5.0 [mysql-se 5.0.32-7etch6 mysql database server binaries -- debconf information: * drupal5/mysql/admin-user: root * drupal5/webserver: * drupal5/mysql/method: unix socket drupal5/install-error: retry drupal5/passwords-do-not-match: drupal5/pgsql/method: unix socket drupal5/dbconfig-remove: drupal5/internal/skip-preseed: false drupal5/pgsql/authmethod-user: drupal5/remote/newhost: drupal5/dbconfig-upgrade: true drupal5/remote/port: drupal5/pgsql/changeconf: false * drupal5/db/app-user: bine drupal5/pgsql/authmethod-admin: ident * drupal5/database-type: mysql drupal5/upgrade-backup: true drupal5/dbconfig-reinstall: false drupal5/pgsql/admin-user: postgres drupal5/internal/reconfiguring: false drupal5/remote/host: drupal5/db/basepath: * drupal5/dbconfig-install: true drupal5/pgsql/manualconf: drupal5/pgsql/no-empty-passwords: drupal5/remove-error: abort drupal5/purge: false * drupal5/db/dbname: bine drupal5/upgrade-error: abort -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
