[SECURITY] Fedora 13 Update: drupal-views-6.x.2.11-1.fc13
updates at fedoraproject.org
updates at fedoraproject.org
Mon Jun 21 21:44:32 UTC 2010
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2010-10215
2010-06-21 21:03:55
--------------------------------------------------------------------------------
Name : drupal-views
Product : Fedora 13
Version : 6.x.2.11
Release : 1.fc13
URL : http://drupal.org/project/views
Summary : Provides a method for site designers to control content presentation
Description :
The views module provides a flexible method for Drupal site designers
to control how lists of content (nodes) are presented. Traditionally,
Drupal has hard-coded most of this, particularly in how taxonomy and
tracker lists are formatted.
This tool is essentially a smart query builder that, given enough
information, can build the proper query, execute it, and display the
results. It has four modes, plus a special mode, and provides an
impressive amount of functionality from these modes.
--------------------------------------------------------------------------------
Update Information:
* Advisory ID: DRUPAL-SA-CONTRIB-2010-067 (http://drupal.org/node/829840) *
Project: Views (third-party module) * Version: 5.x, 6.x * Date:
2010-June-16 * Security risk: Less critical * Exploitable from: Remote
* Vulnerability: Multiple vulnerabilities -------- DESCRIPTION
--------------------------------------------------------- The Views module
provides a flexible method for Drupal site designers to control how lists and
tables of content are presented. -------- CROSS SITE REQUEST FORGERY (CSRF)
----------------------------------- The Views UI module, which is included
with Views, can be used to enable/disable Views by following a link to a
particular page (e.g. admin/build/views/disable/frontpage). As no protections,
such as form tokens, are in place to prevent forged requests to these pages,
the feature is vulnerable to a Cross Site Request Forgery (CSRF [1]) that would
allow an attacker to enable/disable all Views on a site. Mitigating factors: If
Views UI module is disabled Views will no longer be affected by this
vulnerability. This issue affects Views for Drupal 5 and Drupal 6. --------
CROSS SITE SCRIPTING (XSS) ------------------------------------------
Under certain circumstances, Views could display URLs or aggregator feed titles
without escaping, resulting in a Cross Site Scripting (XSS [2]) vulnerability.
An attacker could exploit this to gain full administrative access. This issue
affects Views for Drupal 6 only. -------- VERSIONS AFFECTED
--------------------------------------------------- * Views module for
Drupal 5.x versions prior to 5.x-1.8 * Views module for Drupal 6.x versions
prior to 6.x-2.11 Drupal core is not affected. If you do not use the
contributed Views [3] module, there is nothing you need to do. --------
SOLUTION ------------------------------------------------------------
Install the latest version: * If you use the Views module for Drupal 5.x
upgrade to Views 5.x-1.8 [4] * If you use the Views module for Drupal 6.x
upgrade to Views 6.x-2.11 [5] See also the Views project page [6]. --------
REPORTED BY --------------------------------------------------------- *
The Cross Site Request Forgery (CSRF) vulnerability was reported by Martin
Barbella (mbarbella [7]). * The Cross Site Scripting (XSS) vulnerabilities
were reported by Earl Miles (merlinofchaos [8]), module maintainer and
Daniel Wehner (dereine [9]), module co-maintainer -------- FIXED BY
------------------------------------------------------------ * Earl Miles
(merlinofchaos [10]), module maintainer -------- CONTACT
------------------------------------------------------------- The Drupal
security team [11] can be reached at security at drupal.org or via the form at
http://drupal.org/contact. * [1] http://en.wikipedia.org/wiki/Csrf * [2]
http://en.wikipedia.org/wiki/Cross-site_scripting * [3]
http://drupal.org/project/views * [4] http://drupal.org/node/829848 * [5]
http://drupal.org/node/829846 * [6] http://drupal.org/project/views * [7]
http://drupal.org/user/633600 * [8] http://drupal.org/user/26979 * [9]
http://drupal.org/user/99340 * [10] http://drupal.org/user/26979 * [11]
http://drupal.org/security-team
--------------------------------------------------------------------------------
ChangeLog:
* Fri Jun 18 2010 Jon Ciesla <limb at jcomserv.net> - 6.x.2.11-1
- New upstream, fixes SA-CONTRIB-2010-067.
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update drupal-views' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
More information about the package-announce
mailing list