[SECURITY] Fedora EPEL 4 Update: drupal-5.23-1.el4

updates at fedoraproject.org updates at fedoraproject.org
Mon Aug 16 17:35:32 UTC 2010 

--------------------------------------------------------------------------------
Fedora EPEL Update Notification
FEDORA-EPEL-2010-3228
2010-08-16 16:53:15
--------------------------------------------------------------------------------

Name        : drupal
Product     : Fedora EPEL 4
Version     : 5.23
Release     : 1.el4
URL         : http://www.drupal.org
Summary     : An open-source content-management platform
Description :
Equipped with a powerful blend of features, Drupal is a Content Management
System written in PHP that can support a variety of websites ranging from
personal weblogs to large community-driven websites.  Drupal is highly
configurable, skinnable, and secure.

--------------------------------------------------------------------------------
Update Information:

DRUPAL-SA-CORE-2010-002 ( http://drupal.org/node/880476 )    Remember to log in
to your site as the admin user before upgrading this package. After upgrading
the package, browse to http://host/drupal/update.php to run the upgrade script,
for each site.      * Advisory ID: DRUPAL-SA-CORE-2010-002    * Project: Drupal
core    * Version: 5.x, 6.x    * Date: 2010-August-11    * Security risk:
Critical    * Exploitable from: Remote    * Vulnerability: Multiple
vulnerabilities    -------- DESCRIPTION    Multiple vulnerabilities and
weaknesses were discovered in Drupal.    OpenID authentication bypass    The
OpenID module provides users the ability to login to sites using an OpenID
account. The OpenID module doesn't implement all the required verifications from
the OpenID 2.0 protocol and is vulnerable to a number of attacks. Specifically:
- OpenID should verify that a "openid.response_nonce" has not already been used
for an assertion by the OpenID provider  - OpenID should verify the value of
openid.return_to as obtained from the OpenID provider  - OpenID must verify that
all fields that are required to be signed are signed    These specification
violations allow malicious sites to harvest positive assertions from OpenID
providers and use them on sites using the OpenID module to obtain access to
preexisting accounts bound to the harvested OpenIDs. Intercepted assertions from
OpenID providers can also be replayed and used to obtain access to user accounts
bound to the intercepted OpenIDs. This issue affects Drupal 6.x only. A separate
security announcement and release [1] is published for the contributed OpenID
module for Drupal 5.x.    File download access bypass    The upload module
allows users to upload files and provides access checking for file downloads.
The module looks up files for download in the database and serves them for
download after access checking. However, it does not account for the fact that
certain database configurations will not consider case differences in file
names. If a malicious user uploads a file which only differs in letter case,
access will be granted for the earlier upload regardless of actual file access
to that. This issue affects Drupal 5.x and 6.x.    Comment unpublishing bypass
The comment module allows users to leave comments on content on the site. The
module supports unpublishing comments by privileged users. Users with the "post
comments without approval" permission however could craft a URL which allows
them to republish previously unpublished comments. This issue affects Drupal 5.x
and 6.x.    Actions cross site scripting    The actions feature combined with
Drupal's trigger module allows users to configure certain actions to happen when
users register, content is submitted, and so on; through a web based interface.
Users with "administer actions permission" can enter action descriptions and
messages which are not properly filtered on output. Users with content and
taxonomy tag submission permissions can create nodes and taxonomy terms which
are not properly sanitized for inclusion in action messages and inject arbitrary
HTML and script code into Drupal pages. Such a cross-site scripting attack may
lead to the malicious user gaining administrative access. Wikipedia has more
information about cross-site scripting [2] (XSS). This issue affects Drupal 6.x
only.    -------- VERSIONS AFFECTED      * Drupal 6.x before version 6.18 or
6.19.    * Drupal 5.x before version 5.23.    -------- SOLUTION    Install the
latest version:      * If you are running Drupal 6.x then upgrade to Drupal 6.18
[3] or Drupal 6.19 [4].    * If you are running Drupal 5.x then upgrade to
Drupal 5.23 [5].    Drupal 5 will no longer be maintained when Drupal 7 is
released [6]. Upgrading to Drupal 6 [7] is recommended. The security team starts
a new practice of releasing both a pure security update without other bugfixes
and a security update combined with other bug fixes and improvements. You can
choose to either only include the security update for an immediate fix (which
might require less quality assurance and testing) or more fixes and improvements
alongside the security fixes by choosing between Drupal 6.18 and Drupal 6.19.
Read the announcement [8] for more information.    -------- REPORTED BY    The
OpenID authentication bypass issues were reported by Johnny Bufu [9], Christian
Schmidt [10] and Heine Deelstra [11] (). The file download access bypass was
reported by Dylan Tack [12] (). The comment unpublish bypass issue was reported
by Heine Deelstra [13] (). The actions module cross site scripting was reported
by Justin Klein Keane [14] and Heine Deelstra [15] (). (*) Member of the Drupal
security team.    -------- FIXED BY    The OpenID authentication issues were
fixed by Christian Schmidt [16], Heine Deelstra [17] () and Damien Tournoud [18]
(). The file download access bypass was fixed by Dave Reid [19] () and Neil
Drumm [20] (). The comment unpublish bypass issue was fixed by Heine Deelstra
[21] (). The actions module cross site scripting was fixed by Justin Klein Keane
[22] and Heine Deelstra [23] (). (*) Member of the Drupal security team.
-------- CONTACT    The security team for Drupal can be reached at security at
drupal.org or via the form at http://drupal.org/contact.    * [1]
http://drupal.org/node/880480  * [2] http://en.wikipedia.org/wiki/Cross-
site_scripting  * [3] http://ftp.drupal.org/files/projects/drupal-6.18.tar.gz  *
[4] http://ftp.drupal.org/files/projects/drupal-6.19.tar.gz  * [5]
http://ftp.drupal.org/files/projects/drupal-5.23.tar.gz  * [6]
http://drupal.org/node/725382  * [7] http://drupal.org/upgrade  * [8]
http://drupal.org/drupal-6.19  * [9] http://drupal.org/user/226462  * [10]
http://drupal.org/user/216078  * [11] http://drupal.org/user/17943  * [12]
http://drupal.org/user/96647  * [13] http://drupal.org/user/17943  * [14]
http://drupal.org/user/302225  * [15] http://drupal.org/user/17943  * [16]
http://drupal.org/user/216078  * [17] http://drupal.org/user/17943  * [18]
http://drupal.org/user/22211  * [19] http://drupal.org/user/53892  * [20]
http://drupal.org/user/3064  * [21] http://drupal.org/user/17943  * [22]
http://drupal.org/user/302225  * [23] http://drupal.org/user/17943
--------------------------------------------------------------------------------

This update can be installed with the "yum" update programs.  Use
su -c 'yum update drupal' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora EPEL GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the epel-package-announce mailing list