Bug#567417: marked as done (drupal6: SA-CONTRIB-2010-004 - Node block XSS attack)

Thu, 28 Jan 2010 15:52:21 -0800 

Your message dated Thu, 28 Jan 2010 23:47:07 +0000
with message-id <74fd948d1001281547q348bd3cbi75bcfe0cde0c6...@mail.gmail.com>
and subject line Module not present in debian package
has caused the Debian Bug report #567417,
regarding drupal6: SA-CONTRIB-2010-004 - Node block XSS attack
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
567417: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567417
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: drupal6
Severity: critical
Tags: security
Justification: root security hole


The Node Block module creates a block from specified content type(s). 
Node block doesn't properly escape titles allowing users with permissions 
to create/edit the specified content type(s) to inject arbitrary code into 
the site. Such a cross site scripting (XSS) attack may lead to a malicious 
user gaining full administrative access.

The above is taken from http://drupal.org/node/683598

Your package is only affected if the Node Block module (from contributed
modules) is installed. Please let me know if this module is not present
in the drupal6 package.

Many regards,
Pedro


-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (700, 'testing'), (650, 'unstable'), (600, 'experimental'), (500, 
'testing-proposed-updates')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.33-rc5 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

--- End Message ---
--- Begin Message --- 
Sorry for the confusion, this module is not present in the Debian
package and hence we are unnafected by the bug.

Pedro

--- End Message ---

Reply via email to