[SECURITY] Fedora 12 Update: drupal-6.19-1.fc12

updates at fedoraproject.org updates at fedoraproject.org
Fri Aug 13 21:16:36 UTC 2010

Fedora Update Notification
2010-08-13 20:18:55

Name        : drupal
Product     : Fedora 12
Version     : 6.19
Release     : 1.fc12
URL         : http://www.drupal.org
Summary     : An open-source content-management platform
Description :
Equipped with a powerful blend of features, Drupal is a Content Management
System written in PHP that can support a variety of websites ranging from
personal weblogs to large community-driven websites.  Drupal is highly
configurable, skinnable, and secure.

Update Information:

DRUPAL-SA-CORE-2010-002    Remember to log in to your site as the admin user
before upgrading this package. After upgrading the package, browse to
http://host/drupal/update.php to run the upgrade script, for each site.      *
Advisory ID: DRUPAL-SA-CORE-2010-002    * Project: Drupal core    * Version:
5.x, 6.x    * Date: 2010-August-11    * Security risk: Critical    * Exploitable
from: Remote    * Vulnerability: Multiple vulnerabilities    --------
DESCRIPTION    ---------------------------------------------------------
Multiple vulnerabilities and weaknesses were discovered in Drupal.  .... OpenID
authentication bypass    The OpenID module provides users the ability to login
to sites using an  OpenID account. The OpenID module doesn't implement all the
required  verifications from the OpenID 2.0 protocol and is vulnerable to a
number of  attacks. Specifically: - OpenID should verify that a
"openid.response_nonce"  has not already been used for an assertion by the
OpenID provider - OpenID  should verify the value of openid.return_to as
obtained from the OpenID  provider - OpenID must verify that all fields that are
required to be signed  are signed These specification violations allow malicious
sites to harvest  positive assertions from OpenID providers and use them on
sites using the  OpenID module to obtain access to preexisting accounts bound to
the harvested  OpenIDs. Intercepted assertions from OpenID providers can also be
replayed  and used to obtain access to user accounts bound to the intercepted
OpenIDs.  This issue affects Drupal 6.x only. A separate security announcement
and  release [1] is published for the contributed OpenID module for Drupal 5.x.
.... File download access bypass    The upload module allows users to upload
files and provides access checking  for file downloads. The module looks up
files for download in the database  and serves them for download after access
checking. However, it does not  account for the fact that certain database
configurations will not consider  case differences in file names. If a malicious
user uploads a file which only  differs in letter case, access will be granted
for the earlier upload  regardless of actual file access to that. This issue
affects Drupal 5.x and  6.x.  .... Comment unpublishing bypass    The comment
module allows users to leave comments on content on the site. The  module
supports unpublishing comments by privileged users. Users with the  "post
comments without approval" permission however could craft a URL which  allows
them to republish previously unpublished comments. This issue affects  Drupal
5.x and 6.x.  .... Actions cross site scripting    The actions feature combined
with Drupal's trigger module allows users to  configure certain actions to
happen when users register, content is  submitted, and so on; through a web
based interface. Users with "administer  actions permission" can enter action
descriptions and messages which are not  properly filtered on output. Users with
content and taxonomy tag submission  permissions can create nodes and taxonomy
terms which are not properly  sanitized for inclusion in action messages and
inject arbitrary HTML and  script code into Drupal pages. Such a cross-site
scripting attack may lead to  the malicious user gaining administrative access.
Wikipedia has more  information about cross-site scripting [2] (XSS). This issue
affects Drupal  6.x only.  -------- VERSIONS AFFECTED
---------------------------------------------------      * Drupal 6.x before
version 6.18 or 6.19.    * Drupal 5.x before version 5.23.    -------- SOLUTION
------------------------------------------------------------    Install the
latest version:    * If you are running Drupal 6.x then upgrade to Drupal 6.18
[3] or Drupal      6.19 [4].    * If you are running Drupal 5.x then upgrade to
Drupal 5.23 [5].    Drupal 5 will no longer be maintained when Drupal 7 is
released [6].  Upgrading to Drupal 6 [7] is recommended. The security team
starts a new  practice of releasing both a pure security update without other
bugfixes and  a security update combined with other bug fixes and improvements.
You can  choose to either only include the security update for an immediate fix
(which  might require less quality assurance and testing) or more fixes and
improvements alongside the security fixes by choosing between Drupal 6.18 and
Drupal 6.19. Read the announcement [8] for more information.  -------- REPORTED
BY    ---------------------------------------------------------    The OpenID
authentication bypass issues were reported by Johnny Bufu [9],  Christian
Schmidt [10] and Heine Deelstra [11] (*). The file download access  bypass was
reported by Dylan Tack [12] (*). The comment unpublish bypass  issue was
reported by Heine Deelstra [13] (*). The actions module cross site  scripting
was reported by Justin Klein Keane [14] and Heine Deelstra [15]  (*). (*) Member
of the Drupal security team.  -------- FIXED BY
------------------------------------------------------------    The OpenID
authentication issues were fixed by Christian Schmidt [16], Heine  Deelstra [17]
(*) and Damien Tournoud [18] (*). The file download access  bypass was fixed by
Dave Reid [19] (*) and Neil Drumm [20] (*). The comment  unpublish bypass issue
was fixed by Heine Deelstra [21] (*). The actions  module cross site scripting
was fixed by Justin Klein Keane [22] and Heine  Deelstra [23] (*). (*) Member of
the Drupal security team.  -------- CONTACT
-------------------------------------------------------------    The security
team for Drupal can be reached at security at drupal.org or via  the form at
http://drupal.org/contact.    [1] http://drupal.org/node/880480  [2]
http://en.wikipedia.org/wiki/Cross-site_scripting  [3]
http://ftp.drupal.org/files/projects/drupal-6.18.tar.gz  [4]
http://ftp.drupal.org/files/projects/drupal-6.19.tar.gz  [5]
http://ftp.drupal.org/files/projects/drupal-5.23.tar.gz  [6]
http://drupal.org/node/725382  [7] http://drupal.org/upgrade  [8]
http://drupal.org/drupal-6.19  [9] http://drupal.org/user/226462  [10]
http://drupal.org/user/216078  [11] http://drupal.org/user/17943  [12]
http://drupal.org/user/96647  [13] http://drupal.org/user/17943  [14]
http://drupal.org/user/302225  [15] http://drupal.org/user/17943  [16]
http://drupal.org/user/216078  [17] http://drupal.org/user/17943  [18]
http://drupal.org/user/22211  [19] http://drupal.org/user/53892  [20]
http://drupal.org/user/3064  [21] http://drupal.org/user/17943  [22]
http://drupal.org/user/302225  [23] http://drupal.org/user/17943
_______________________________________________  Security-news mailing list
Security-news at drupal.org  http://lists.drupal.org/mailman/listinfo/security-news

* Thu Aug 12 2010 Jon Ciesla <limb at jcomserv.net> - 6.19-1
- Update to 6.19, SA-CORE-2010-002.
* Mon Jun 28 2010 Jon Ciesla <limb at jcomserv.net> - 6.17-1
- Update to 6.17.
* Thu Mar  4 2010 Jon Ciesla <limb at jcomserv.net> - 6.16-1
- Update to 6.16, SA-CORE-2010-001.
* Thu Dec 17 2009 Jon Ciesla <limb at jcomserv.net> - 6.15-1
- Update to 6.15, SA-CORE-2009-009.

This update can be installed with the "yum" update program.  Use 
su -c 'yum update drupal' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at

More information about the package-announce mailing list