Ivan Vilata i Balaguer
2010-Aug-12 09:37 UTC
[Secure-testing-team] Bug#592716: drupal6: SA-CORE-2010-002 - Drupal core - Multiple vulnerabilities
Package: drupal6 Version: 6.16-1~bpo50+1 Severity: grave Tags: security Justification: user security hole DRUPAL-SA-CORE-2010-002 from 2010-08-12 includes several vulnerabilities, some of them allowing malicious site identifying as existing users and gaining administrative access. The problems got fixed in 6.18, so it looks like all versions currently in Debian are affected. Thanks, -- System Information: Debian Release: 5.0.5 APT prefers stable APT policy: (990, ''stable''), (190, ''testing'') Architecture: i386 (i686) Kernel: Linux 2.6.18.8-linode22 (SMP w/4 CPU cores) Locale: LANG=ca_ES.UTF-8, LC_CTYPE=ca_ES.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages drupal6 depends on: ii curl 7.18.2-8lenny4 Get a file from an HTTP, HTTPS or ii dbconfig-common 1.8.39 common framework for packaging dat ii debconf [debconf-2 1.5.24 Debian configuration management sy ii mysql-client 5.0.51a-24+lenny4 MySQL database client (metapackage ii mysql-client-5.0 [ 5.0.51a-24+lenny4 MySQL database client binaries ii nginx [httpd] 0.7.67-3 small, but very powerful and effic ii php5 5.2.6.dfsg.1-1+lenny9 server-side, HTML-embedded scripti ii php5-gd 5.2.6.dfsg.1-1+lenny9 GD module for php5 ii php5-mysql 5.2.6.dfsg.1-1+lenny9 MySQL module for php5 ii postfix [mail-tran 2.5.5-1.1 High-performance mail transport ag ii wwwconfig-common 0.1.2 Debian web auto configuration Versions of packages drupal6 recommends: ii mysql-server 5.0.51a-24+lenny4 MySQL database server (metapackage ii mysql-server-5.0 [mysq 5.0.51a-24+lenny4 MySQL database server binaries drupal6 suggests no packages. -- debconf information excluded