Bug#503222: marked as done (drupal6: Security issues fixed by new version)

Mon, 27 Oct 2008 08:55:04 -0700 

Your message dated Mon, 27 Oct 2008 15:47:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#503222: fixed in drupal6 6.6-1
has caused the Debian Bug report #503222,
regarding drupal6: Security issues fixed by new version
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
503222: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503222
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message --- 
Package: drupal5
Version: 5.10-1
Severity: grave
Tags: security
Justification: user security hole

New upstream version 5.12 includes the fixes for two security-related
bugs: One is that Drupal currently can include files outside its root,
leading to arbitrary code execution under specific configurations; the
other bug (much more likely to be an issue to the public) is a XSS
vuln on the 'book' module.

Re: SA-2008-067

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (900, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages drupal5 depends on:
ii  apache [httpd]          1.3.34-4.1+etch1 versatile, high-performance HTTP s
ii  apache2                 2.2.3-4+etch5    Next generation, scalable, extenda
ii  apache2-mpm-prefork [ht 2.2.3-4+etch5    Traditional model for Apache HTTPD
ii  curl                    7.15.5-1etch1    Get a file from an HTTP, HTTPS, FT
ii  dbconfig-common         1.8.29+etch1     common framework for packaging dat
ii  debconf                 1.5.11etch2      Debian configuration management sy
ii  mysql-client-5.0 [mysql 5.0.32-7etch6    mysql database client binaries
ii  php5                    5.2.0-8+etch13   server-side, HTML-embedded scripti
ii  php5-gd                 5.2.0-8+etch13   GD module for php5
ii  php5-mysql              5.2.0-8+etch13   MySQL module for php5
ii  php5-pgsql              5.2.0-8+etch13   PostgreSQL module for php5
ii  postfix [mail-transport 2.5.5-1~bpo40+1  High-performance mail transport ag
ii  wwwconfig-common        0.0.48           Debian web auto configuration

Versions of packages drupal5 recommends:
ii  mysql-server-5.0 [mysql-se 5.0.32-7etch6 mysql database server binaries

-- debconf information:
* drupal5/mysql/admin-user: root
* drupal5/webserver:
* drupal5/mysql/method: unix socket
  drupal5/install-error: retry
  drupal5/passwords-do-not-match:
  drupal5/pgsql/method: unix socket
  drupal5/dbconfig-remove:
  drupal5/internal/skip-preseed: false
  drupal5/pgsql/authmethod-user:
  drupal5/remote/newhost:
  drupal5/dbconfig-upgrade: true
  drupal5/remote/port:
  drupal5/pgsql/changeconf: false
* drupal5/db/app-user: bine
  drupal5/pgsql/authmethod-admin: ident
* drupal5/database-type: mysql
  drupal5/upgrade-backup: true
  drupal5/dbconfig-reinstall: false
  drupal5/pgsql/admin-user: postgres
  drupal5/internal/reconfiguring: false
  drupal5/remote/host:
  drupal5/db/basepath:
* drupal5/dbconfig-install: true
  drupal5/pgsql/manualconf:
  drupal5/pgsql/no-empty-passwords:
  drupal5/remove-error: abort
  drupal5/purge: false
* drupal5/db/dbname: bine
  drupal5/upgrade-error: abort

--- End Message ---
--- Begin Message --- 
Source: drupal6
Source-Version: 6.6-1

We believe that the bug you reported is fixed in the latest version of
drupal6, which is due to be installed in the Debian FTP archive:

drupal6_6.6-1.diff.gz
  to pool/main/d/drupal6/drupal6_6.6-1.diff.gz
drupal6_6.6-1.dsc
  to pool/main/d/drupal6/drupal6_6.6-1.dsc
drupal6_6.6-1_all.deb
  to pool/main/d/drupal6/drupal6_6.6-1_all.deb
drupal6_6.6.orig.tar.gz
  to pool/main/d/drupal6/drupal6_6.6.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luigi Gangitano <[EMAIL PROTECTED]> (supplier of updated drupal6 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 24 Oct 2008 23:06:15 +0200
Source: drupal6
Binary: drupal6
Architecture: source all
Version: 6.6-1
Distribution: unstable
Urgency: high
Maintainer: Luigi Gangitano <[EMAIL PROTECTED]>
Changed-By: Luigi Gangitano <[EMAIL PROTECTED]>
Description: 
 drupal6    - a fully-featured content management framework
Closes: 503222
Changes: 
 drupal6 (6.6-1) unstable; urgency=high
 .
   [ Luigi Gangitano ]
   * Urgency high due to security fixes
 .
   * New upstream release
     - Fixes two security vulnerabilities
       (Ref: SA-2008-067, CVE-TBA) (Closes: #503222)
 .
   * debian/drual6.postrm
     - Fixed missing -e option to make lintian happy
 .
   * debian/patches/10_cronjob.dpatch
     - Added patch descritpion to make lintian happy
 .
   * debian/control
     - Bumped Standard-Version to 3.8.0, no change needed
 .
   * debian/{control,rules,links}
     - Added dependency on libjs-jquery and use jquery.js from it
Checksums-Sha1: 
 52b79afd757373ed92ce0f61a2bddd14b3d2aefa 1105 drupal6_6.6-1.dsc
 08c12b590508d2050e3c2be0faf48b98a964ea45 1071507 drupal6_6.6.orig.tar.gz
 6fad898109dbf1f5799dbc7876b8598645ac7b23 15624 drupal6_6.6-1.diff.gz
 fbe4fc67780940c28f1dd3060e13bf861cb5970f 1085152 drupal6_6.6-1_all.deb
Checksums-Sha256: 
 8fb42347b8744a2aca5bbddecf46869c84805203c1901146202c1cb21260283e 1105 
drupal6_6.6-1.dsc
 48a5d3c6567b10f401fc7ca8b7dfb0fee22745d77f28992964bc9be80aaa7965 1071507 
drupal6_6.6.orig.tar.gz
 f6523e66f501af6a37a9780705d56f681e5b20d157f713e4cb6f19260ec7bbd8 15624 
drupal6_6.6-1.diff.gz
 dae5ec0bb24b1076ce0a1c43e5d9d46c6f05181c266079148aae52696d30dc22 1085152 
drupal6_6.6-1_all.deb
Files: 
 9be3904cc53d9c6ab15a8ed6cc8a7ba8 1105 web extra drupal6_6.6-1.dsc
 caaa55d1990b34dee48f5047ce98e2bb 1071507 web extra drupal6_6.6.orig.tar.gz
 da96b2fef1a54d1d58b25bb01b435300 15624 web extra drupal6_6.6-1.diff.gz
 b53372e22181cc9b9d07dc8b94beb229 1085152 web extra drupal6_6.6-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkkF4SwACgkQ8ZumGJJMDCbQUACgghr63ofS6SEVeHZbp+ZMpPHx
+mQAnjJqmkE+K+Q2tY2cxJHuYyFBB47F
=zTIm
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to