Your message dated Sun, 04 Nov 2012 17:12:15 +0100
with message-id <87vcdljqjk....@mid.deneb.enyo.de>
and subject line Re: Is that bug still open?
has caused the Debian Bug report #690817,
regarding [drupal7] [Security-news] SA-CORE-2012-003 - Drupal core - Arbitrary
PHP code execution and Information disclosure
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
690817: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690817
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: drupal7
Version: 7.14-1
Severity: critical
Tags: security
X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org
--- Please enter the report below this line. ---
Hi!
There is currently a security issue with Drupal 7.14 currently in
unstable, being shipped with wheezy.
http://drupal.org/node/1815912 is about Arbitrary PHP code execution of
Drupal core up to 7.16:
* Advisory ID: DRUPAL-SA-CORE-2012-003
* Project: Drupal core [1]
* Version: 7.x
* Date: 2012-October-17
* Security risk: Highly critical [2]
* Exploitable from: Remote
* Vulnerability: Information Disclosure, Arbitrary PHP code execution
-------- DESCRIPTION
---------------------------------------------------------
Multiple vulnerabilities were discovered in Drupal core.
.... Arbitrary PHP code execution
A bug in the installer code was identified that allows an attacker to
re-install Drupal using an external database server under certain transient
conditions. This could allow the attacker to execute arbitrary PHP code on
the original server.
This vulnerability is mitigated by the fact that the re-installation can
only
be successful if the site's settings.php file or sites directories are
writeable by or owned by the webserver user. Configuring the Drupal
installation to be owned by a different user than the webserver user
(and not
to be writeable by the webserver user) is a recommended security best
practice [3]. However, in all cases the transient conditions expose
information to an attacker who accesses install.php, and therefore this
security update should be applied to all Drupal 7 sites.
--- System information. ---
Architecture: amd64
Kernel: Linux 3.2.0-4-amd64
Debian Release: wheezy/sid
500 unstable www.debian-multimedia.org
500 unstable ftp.de.debian.org
--- Package information. ---
Depends (Version) | Installed
====================================-+-============
debconf (>= 0.5) | 1.5.46
OR debconf-2.0 |
apache2 | 2.2.22-11
OR httpd |
php5 | 5.4.4-7
php5-mysql | 5.4.4-7
OR php5-pgsql | 5.4.4-7
php5-gd | 5.4.4-7
default-mta |
OR mail-transport-agent |
wwwconfig-common (>= 0.0.37) | 0.2.2
mysql-client | 5.5.24+dfsg-9
OR virtual-mysql-client |
OR postgresql-client | 9.1+134wheezy1
dbconfig-common | 1.8.47+nmu1
curl | 7.27.0-1
Recommends (Version) | Installed
===========================-+-===========
mysql-server | 5.5.24+dfsg-9
OR postgresql | 9.1+134wheezy1
Package's Suggests field is empty.
--
Ciao... // Fon: 0381-2744150
Ingo \X/ http://blog.windfluechter.net
Please don't share this address with Facebook or Google!
gpg pubkey: http://www.juergensmann.de/ij_public_key.asc
--- End Message ---
--- Begin Message ---
Version: 7.14-1.1
* Ingo Jürgensmann:
> Hi Gunnar, hi Luigi, hi securiy@d.o!
>
> I reported http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690817
> on Oct. 18th and Gunnar replied quickly with a patch. Since then the
> last message for this bug is pending/uploaded/delayed. In the
> meanwhile drupal7 7.14-1.1 is in unstable. So, is that bug still
> open or should it be closed?
According to all resources except the BTS, it's fixed in that version,
so I'm closing the bug.
--- End Message ---
