clone 503217 -1 tags 503217 + patch reassign -1 drupal6 severity 503217 important severity -1 important
Hi, * Gunnar Wolf <[EMAIL PROTECTED]> [2008-10-23 19:52]: > New upstream version 5.12 includes the fixes for two security-related > bugs: One is that Drupal currently can include files outside its root, > leading to arbitrary code execution under specific configurations; the > other bug (much more likely to be an issue to the public) is a XSS > vuln on the 'book' module. This bug also affects drupal6, cloning. I am downgrading this bug as the first vulnerability requires a user to already execute arbitrary code so in this case this is somehow a privilege escalation to the user running apache. The second bug is also not a big issue as it also requires the attacker to already have the permissions to create book content. CVE ids for those issues are pending. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpWII2yu1D5h.pgp
Description: PGP signature
