Your message dated Wed, 09 Aug 2006 09:02:20 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#382087: fixed in drupal 4.5.8-2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: drupal
Severity: grave
Tags: security
Justification: user security hole
A XSS vulnerability has been found in Drupal:
Cross-site scripting (XSS) vulnerability in user.module in Drupal 4.6
before 4.6.9, and 4.7 before 4.7.3, allows remote attackers to inject
arbitrary web script or HTML via the msg parameter. NOTE: portions of
these details are obtained from third party information.
See http://drupal.org/node/76748
Please mention the CVE-id in the changelog.
--- End Message ---
--- Begin Message ---
Source: drupal
Source-Version: 4.5.8-2
We believe that the bug you reported is fixed in the latest version of
drupal, which is due to be installed in the Debian FTP archive:
drupal_4.5.8-2.diff.gz
to pool/main/d/drupal/drupal_4.5.8-2.diff.gz
drupal_4.5.8-2.dsc
to pool/main/d/drupal/drupal_4.5.8-2.dsc
drupal_4.5.8-2_all.deb
to pool/main/d/drupal/drupal_4.5.8-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <[EMAIL PROTECTED]> (supplier of updated drupal package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 9 Aug 2006 17:46:45 +0200
Source: drupal
Binary: drupal
Architecture: source all
Version: 4.5.8-2
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <[EMAIL PROTECTED]>
Changed-By: Thijs Kinkhorst <[EMAIL PROTECTED]>
Description:
drupal - fully-featured content management/discussion engine
Closes: 368835 382087
Changes:
drupal (4.5.8-2) unstable; urgency=high
.
* QA Upload for orphaned package.
High urgency for security fix.
.
* CVE-2006-4002: drupal XSS vulnerability (Closes: #382087).
Apply upstream patch.
* Setting maintainer to Debian QA Group.
* Move debhelper to Build-Depends since used in clean target.
* Acknowledging changes from NMU by Steiner Gunderson, thanks!
.
drupal (4.5.8-1.1) unstable; urgency=high
.
* Non-maintainer upload.
* Backport changes from 4.6.6 -> 4.6.8 to fix security issues:
- DRUPAL-SA-2006-005/CVE-2006-2742: fixes critical SQL issue
- DRUPAL-SA-2006-006/CVE-2006-2743: fixes critical upload issue
- DRUPAL-SA-2006-007/CVE-2006-2832: fixes critical upload issue (Closes:
#368835)
- DRUPAL-SA-2006-008/CVE-2006-2833: fixes taxonomy XSS issue
Files:
7a3a88e0ae9d7dd9a80da82c5e5da624 563 web extra drupal_4.5.8-2.dsc
29b8b465222b6b5a3f134e917ab690e8 49993 web extra drupal_4.5.8-2.diff.gz
5d5252f6f3bf9442fa479b8c39a628de 489646 web extra drupal_4.5.8-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFE2gUhJdKMxZV9WM8RAjVKAKDPEWcOgdisjE1O2dnwr6df5ulyOwCfVwuH
pJYf12Ak7XdDtvOGurnFSNA=
=ZmlC
-----END PGP SIGNATURE-----
--- End Message ---
