[SECURITY] Fedora 10 Update: drupal-views-6.x.2.6-1.fc10

updates at fedoraproject.org updates at fedoraproject.org
Tue Jun 16 02:26:05 UTC 2009 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2009-6389
2009-06-15 22:07:08
--------------------------------------------------------------------------------

Name        : drupal-views
Product     : Fedora 10
Version     : 6.x.2.6
Release     : 1.fc10
URL         : http://drupal.org/project/views
Summary     : Provides a method for site designers to control content presentation
Description :
The views module provides a flexible method for Drupal site designers
to control how lists of content (nodes) are presented. Traditionally,
Drupal has hard-coded most of this, particularly in how taxonomy and
tracker lists are formatted.

This tool is essentially a smart query builder that, given enough
information, can build the proper query, execute it, and display the
results. It has four modes, plus a special mode, and provides an
impressive amount of functionality from these modes.

--------------------------------------------------------------------------------
Update Information:

 * Advisory ID: DRUPAL-SA-CONTRIB-2009-037 [0]   * Project: Views   * Versions:
6.x-2.x   * Date: 2009-June-10   * Security risk: Moderately critical   *
Exploitable from: Remote   * Vulnerability: Cross Site Scripting (XSS), Access
Bypass    -------- DESCRIPTION
---------------------------------------------------------    The Views module
provides a flexible method for Drupal site designers to  control how lists of
content are presented. In the Views UI administrative  interface when
configuring exposed filters, user input presented as possible  exposed filters
is not correctly filtered, potentially allowing malicious  users to insert
arbitrary HTML and script code into these pages. In addition,  content entered
by users with 'administer views' permission into the View  name when defining
custom views is subsequently displayed without being  filtered. Such cross site
scripting [1] (XSS) attacks may lead to a malicious  user gaining full
administrative access. An access bypass may exist where  unpublished content
owned by the anonymous user (e.g. content created by a  user whose account was
later deleted) is visible to any anonymous user there  is a view already
configured to show it incorrectly. An additional access  bypass may occur
because Views may generate queries which disrespect node  access control. Users
may be able to access private content if they have  permission to see the
resulting View.  -------- VERSIONS AFFECTED
---------------------------------------------------     * Versions of Views for
Drupal 6.x prior to 6.x-2.6    Drupal core is not affected. If you do not use
the Views module, there is  nothing you need to do.  -------- SOLUTION
------------------------------------------------------------    Install the
latest version.   * If you use Views for Drupal 6.x upgrade to 6.x-2.6 [2]    In
addition, preventing the node access bypass may require adding *node:  access
filters* to the View manually if using relationships to nodes that  might be
restricted. Also see the Views project page [3].  -------- REPORTED BY
---------------------------------------------------------     * The exposed
filters XSS was reported by Derek Wright (dww [4]) of the     Drupal Security
Team [5]   * The XSS from the view name was reported by Justin Klein Keane
(Justin_KleinKeane [6])   * The unpublished content access bypass was reported
by Brandon Bergren     (bdragon [7])   * The node access query bypass was
reported by Moshe Weitzman (moshe     weitzman [8]) of the Drupal Security Team
[9]    -------- FIXED BY
------------------------------------------------------------    Earl Miles
(merlinofchaos [10]) Views project maintainer.  -------- CONTACT
-------------------------------------------------------------    The security
contact for Drupal can be reached at security at drupal.org or  via the form at
http://drupal.org/contact and by selecting the security  issues category.    [0]
http://drupal.org/node/488068  [1] http://en.wikipedia.org/wiki/Cross-
site_scripting  [2] http://drupal.org/node/488082  [3]
http://drupal.org/project/views  [4] http://drupal.org/user/46549  [5]
http://drupal.org/security-team  [6] http://drupal.org/user/302225  [7]
http://drupal.org/user/53081  [8] http://drupal.org/user/23  [9]
http://drupal.org/security-team  [10] http://drupal.org/user/26979
--------------------------------------------------------------------------------
ChangeLog:

* Thu Jun 11 2009 Jon Ciesla <limb at jcomserv.net> - 6.x.2.6-1
- New upstream, fixes SA-CONTRIB-2009-037.
* Tue Feb 24 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 6.x.2.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
* Thu Dec 18 2008 Jon Ciesla <limb at jcomserv.net> - 6.x.2.2-1
- New upstream, fixes SA-2008-075.
* Tue Nov  4 2008 Jon Ciesla <limb at jcomserv.net> - 6.x.2.1-1
- New upstream.
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update drupal-views' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the package-announce mailing list