Your message dated Wed, 09 Aug 2006 09:02:20 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#368835: fixed in drupal 4.5.8-2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: drupal
Version: 4.5.8-1
Severity: grave
Tags: security
Justification: user security hole
http://drupal.org/node/65409
------------EXECUTION OF ARBITRARY FILES IN CERTAIN APACHE
CONFIGURATIONS------------
* Advisory ID: DRUPAL-SA-2006-006
* Project: Drupal core
* Date: 2006-May-24
* Security risk: highly critical
* Impact: Drupal core
* Exploitable from: remote
* Vulnerability: Execution of arbitrary files
------------DESCRIPTION------------
Certain -- alas, typical -- configurations of Apache allows execution of
carefully named arbitrary scripts in the files directory. Drupal now will
attempt to automatically create a .htaccess file in your "files" directory
to protect you.
------------VERSIONS AFFECTED------------
- All Drupal versions before 4.6.7 and also Drupal 4.7.0.
------------SOLUTION------------
If you are running Drupal 4.6.x then upgrade to Drupal 4.6.7.
If you are running Drupal 4.7.0 then upgrade to Drupal 4.7.1.
Make sure you have a .htaccess in your "files" dir and it contains this line:
SetHandler This_is_a_Drupal_security_line_do_not_remove
------------REPORTED BY------------
milw0rm
------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or
using the form at [http://drupal.org/contact].
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.8-2-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages drupal depends on:
ii apache-ssl [httpd] 1.3.34-2 versatile, high-performance HTTP s
ii apache2-mpm-prefork [httpd] 2.0.55-4 traditional model for Apache2
ii debconf [debconf-2.0] 1.5.0 Debian configuration management sy
ii libapache2-mod-php4 4:4.4.2-1 server-side, HTML-embedded scripti
ii makepasswd 1.10-3 Generate and encrypt passwords
ii mysql-client-5.0 [mysql-clien 5.0.18-7 mysql database client binaries
ii php4-cgi 4:4.4.2-1 server-side, HTML-embedded scripti
ii php4-cli 4:4.4.2-1 command-line interpreter for the p
ii php4-mysql 4:4.4.2-1 MySQL module for php4
ii php4-pgsql 4:4.4.2-1 PostgreSQL module for php4
ii postfix [mail-transport-agent 2.1.5-9 A high-performance mail transport
ii postgresql-client 7.5.19 front-end programs for PostgreSQL
ii wwwconfig-common 0.0.45 Debian web auto configuration
Versions of packages drupal recommends:
ii mysql-server-5.0 [mysql-serve 5.0.18-7 mysql database server binaries
ii postgresql 7.5.19 object-relational SQL database man
-- debconf information:
drupal/remove_backups: false
drupal/createuser_failed:
drupal/db_auto_update: true
drupal/dropdb_failed:
drupal/upgradedb_impossible:
drupal/dbgeneration: false
drupal/dbtype: MySQL
drupal/database_doremove: false
drupal/createdb_failed:
drupal/dbserver: localhost
drupal/webserver: apache
drupal/upgradedb_failed:
drupal/dbname: drupal
drupal/dbuser: drupal
drupal/dbadmin: root
drupal/initdb_failed:
drupal/conffile_failed:
--- End Message ---
--- Begin Message ---
Source: drupal
Source-Version: 4.5.8-2
We believe that the bug you reported is fixed in the latest version of
drupal, which is due to be installed in the Debian FTP archive:
drupal_4.5.8-2.diff.gz
to pool/main/d/drupal/drupal_4.5.8-2.diff.gz
drupal_4.5.8-2.dsc
to pool/main/d/drupal/drupal_4.5.8-2.dsc
drupal_4.5.8-2_all.deb
to pool/main/d/drupal/drupal_4.5.8-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <[EMAIL PROTECTED]> (supplier of updated drupal package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 9 Aug 2006 17:46:45 +0200
Source: drupal
Binary: drupal
Architecture: source all
Version: 4.5.8-2
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <[EMAIL PROTECTED]>
Changed-By: Thijs Kinkhorst <[EMAIL PROTECTED]>
Description:
drupal - fully-featured content management/discussion engine
Closes: 368835 382087
Changes:
drupal (4.5.8-2) unstable; urgency=high
.
* QA Upload for orphaned package.
High urgency for security fix.
.
* CVE-2006-4002: drupal XSS vulnerability (Closes: #382087).
Apply upstream patch.
* Setting maintainer to Debian QA Group.
* Move debhelper to Build-Depends since used in clean target.
* Acknowledging changes from NMU by Steiner Gunderson, thanks!
.
drupal (4.5.8-1.1) unstable; urgency=high
.
* Non-maintainer upload.
* Backport changes from 4.6.6 -> 4.6.8 to fix security issues:
- DRUPAL-SA-2006-005/CVE-2006-2742: fixes critical SQL issue
- DRUPAL-SA-2006-006/CVE-2006-2743: fixes critical upload issue
- DRUPAL-SA-2006-007/CVE-2006-2832: fixes critical upload issue (Closes:
#368835)
- DRUPAL-SA-2006-008/CVE-2006-2833: fixes taxonomy XSS issue
Files:
7a3a88e0ae9d7dd9a80da82c5e5da624 563 web extra drupal_4.5.8-2.dsc
29b8b465222b6b5a3f134e917ab690e8 49993 web extra drupal_4.5.8-2.diff.gz
5d5252f6f3bf9442fa479b8c39a628de 489646 web extra drupal_4.5.8-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFE2gUhJdKMxZV9WM8RAjVKAKDPEWcOgdisjE1O2dnwr6df5ulyOwCfVwuH
pJYf12Ak7XdDtvOGurnFSNA=
=ZmlC
-----END PGP SIGNATURE-----
--- End Message ---
