Package: drupal6
Severity: critical
Tags: security
X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org
--- Please enter the report below this line. ---
Hi!
There's a security update for Drupal6 and Drupal7 available:
http://drupal.org/SA-CORE-2012-004
Multiple vulnerabilities were fixed in the supported Drupal core
versions 6 and 7.
Access bypass (User module search - Drupal 6 and 7)
A vulnerability was identified that allows blocked users to appear in
user search results, even when the search results are viewed by
unprivileged users.
This vulnerability is mitigated by the fact that the default Drupal core
user search results only display usernames (and disclosure of usernames
is not considered a security vulnerability). However, since modules or
themes may override the search results to display more information from
each user's profile, this could result in additional information about
blocked users being disclosed on some sites.
CVE: Requested.
Access bypass (Upload module - Drupal 6)
A vulnerability was identified that allows information about uploaded
files to be displayed in RSS feeds and search results to users that do
not have the "view uploaded files" permission.
This issue affects Drupal 6 only.
CVE: Requested.
Arbitrary PHP code execution (File upload modules - Drupal 6 and 7)
Drupal core's file upload feature blocks the upload of many files that
can be executed on the server by munging the filename. A malicious user
could name a file in a manner that bypasses this munging of the filename
in Drupal's input validation.
This vulnerability is mitigated by several factors: The attacker would
need the permission to upload a file to the server. Certain combinations
of PHP and filesystems are not vulnerable to this issue, though we did
not perform an exhaustive review of the supported PHP versions. Finally:
the server would need to allow execution of files in the uploads
directory. Drupal core has protected against this with a .htaccess file
protection in place from SA-2006-006 - Drupal Core - Execution of
arbitrary files in certain Apache configurations. Users of IIS should
consider updating their web.config. Users of Nginx should confirm that
only the index.php and other known good scripts are executable. Users of
other webservers should review their configuration to ensure the goals
are achieved in some other way.
CVE: Requested.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in
accordance with Drupal Security Team processes.
Versions affected
Drupal core 6.x versions prior to 6.27.
Drupal core 7.x versions prior to 7.18.
Solution
Install the latest version:
If you use Drupal 6.x, upgrade to Drupal core 6.27.
If you use Drupal 7.x, upgrade to Drupal core 7.18.
--- System information. ---
Architecture: amd64
Kernel: Linux 3.2.0-4-amd64
Debian Release: 7.0
500 unstable www.deb-multimedia.org
500 unstable ftp.de.debian.org
1 experimental ftp.de.debian.org
--- Package information. ---
Package's Depends field is empty.
Package's Recommends field is empty.
Package's Suggests field is empty.
--
Ciao... // Fon: 0381-2744150
Ingo \X/ http://blog.windfluechter.net
Please don't share this address with Facebook or Google!
gpg pubkey: http://www.juergensmann.de/ij_public_key.asc
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
