Your message dated Wed, 20 Jan 2010 13:52:41 +0000
with message-id <[email protected]>
and subject line Bug#562165: fixed in drupal6 6.6-3lenny4
has caused the Debian Bug report #562165,
regarding CVE-2009-4369, CVE-2009-4370, CVE-2009-4371: Several XSS issues
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
562165: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=562165
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: drupal6
Severity: grave
Tags: security patch
Hi Luigi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for drupal6.
CVE-2009-4371[0]:
| Cross-site scripting (XSS) vulnerability in the Locale module
| (modules/locale/locale.module) in Drupal Core 6.14, and possibly other
| versions including 6.15, allows remote authenticated users with
| "administer languages" permissions to inject arbitrary web script or
| HTML via the (1) Language name in English or (2) Native language name
| fields in the Custom language form.
CVE-2009-4370[1]:
| Cross-site scripting (XSS) vulnerability in the Menu module
| (modules/menu/menu.admin.inc) in Drupal Core 6.x before 6.15 allows
| remote authenticated users with permissions to create new menus to
| inject arbitrary web script or HTML via a menu description, which is
| not properly handled in the menu administration overview.
CVE-2009-4369[2]:
| Cross-site scripting (XSS) vulnerability in the Contact module
| (modules/contact/contact.admin.inc or modules/contact/contact.module)
| in Drupal Core 5.x before 5.21 and 6.x before 6.15 allows remote
| authenticated users with "administer site-wide contact form"
| permissions to inject arbitrary web script or HTML via the contact
| category name.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For the latter two you can find the upstream patch here[3]. The former
issue has the patch here[4].
For lenny, please coordinate with the stable release team and go via
stable-proposed-updates as these issues do not seem to warrant a DSA.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4371
http://security-tracker.debian.org/tracker/CVE-2009-4371
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4370
http://security-tracker.debian.org/tracker/CVE-2009-4370
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4369
http://security-tracker.debian.org/tracker/CVE-2009-4369
[3] http://drupal.org/files/sa-core-2009-009/SA-CORE-2009-009-6.14.patch
[4] http://www.madirish.net/?article=442
--- End Message ---
--- Begin Message ---
Source: drupal6
Source-Version: 6.6-3lenny4
We believe that the bug you reported is fixed in the latest version of
drupal6, which is due to be installed in the Debian FTP archive:
drupal6_6.6-3lenny4.diff.gz
to main/d/drupal6/drupal6_6.6-3lenny4.diff.gz
drupal6_6.6-3lenny4.dsc
to main/d/drupal6/drupal6_6.6-3lenny4.dsc
drupal6_6.6-3lenny4_all.deb
to main/d/drupal6/drupal6_6.6-3lenny4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luigi Gangitano <[email protected]> (supplier of updated drupal6 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 15 Jan 2010 00:44:59 +0100
Source: drupal6
Binary: drupal6
Architecture: source all
Version: 6.6-3lenny4
Distribution: stable-proposed-updates
Urgency: low
Maintainer: Luigi Gangitano <[email protected]>
Changed-By: Luigi Gangitano <[email protected]>
Description:
drupal6 - a fully-featured content management framework
Closes: 562165
Changes:
drupal6 (6.6-3lenny4) stable-proposed-updates; urgency=low
.
[ Luigi Gangitano ]
* debian/patches/18_SA-CORE-2009-009
- Fix XSS issues in Contact and Menu modules (Closes: #562165)
(Ref: SA-CORE-2009-009, CVE-2009-4369, CVE-2009-4370, CVE-2009-4371)
Checksums-Sha1:
2604295c4d908350cdf22e342cb71287050667cf 1130 drupal6_6.6-3lenny4.dsc
02cc6c8b18a08a01d52e77419120ce2b253fb664 25419 drupal6_6.6-3lenny4.diff.gz
d7abf5967df21b7b2e076e2c4a96b2f597d4e557 1090224 drupal6_6.6-3lenny4_all.deb
Checksums-Sha256:
2199c1b2be0aecfe7b92d10019ed225286738130965f18a27eb5de4ef5c0a5cd 1130
drupal6_6.6-3lenny4.dsc
adea31924fcd109b2814773c6f931a11f04d29eb214be120ec407369a4032a61 25419
drupal6_6.6-3lenny4.diff.gz
41f5c384a340cd7ce84ed0a26ddc8d2370fd8e7dc390745c9ef15dd6c382d87c 1090224
drupal6_6.6-3lenny4_all.deb
Files:
b77eba9f76a935e6f4b8ff4a956c126a 1130 web extra drupal6_6.6-3lenny4.dsc
76dfc517332299a5e599866cd307fbcc 25419 web extra drupal6_6.6-3lenny4.diff.gz
7e8a06402d97de5f9c8ed42b553771e6 1090224 web extra drupal6_6.6-3lenny4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAktWWXUACgkQ8ZumGJJMDCZjfQCfb3qlFoW42hlAcKAEanfQ0bq4
5cYAn3o2sbEEjuRYhLg8pcz/SgsUskXX
=yrzt
-----END PGP SIGNATURE-----
--- End Message ---
