Secure testing team - Dec 2007 - DRUPAL-SA-2007-031 - SQL injection in certain contributed modules

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
a new vulnerability has been reported today in drupal. SQL injection  
is possible when some contributed modules uses  
taxonomy_select_nodes(). Default installation of drupal in debian is  
not vulnerable, since no contributed module is installed by default.

This vulnerability has been fixed in drupal5_5.5-1 and  
drupal_4.7.10-1, now in sid and in testing as soon as the one day  
delay is over. There is no drupal in etch.

Regards,

L

- --
Luigi Gangitano -- <luigi at debian.org> -- <gangitano at
lugroma3.org>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972  C24A F19B A618 924C 0C26


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFHWdQr8ZumGJJMDCYRAlw7AJ0R5Zldnnm/0G2vjEg8Nq3cpYT+LQCdFCzv
E2gxkOD9CZdma8t2bGVCUeI=BDL3
-----END PGP SIGNATURE-----

Hi Luigi,
* Luigi Gangitano <luigi at debian.org> [2007-12-08
00:17]:
> a new vulnerability has been reported today in drupal. SQL injection  
> is possible when some contributed modules uses  
> taxonomy_select_nodes(). Default installation of drupal in debian is  
> not vulnerable, since no contributed module is installed by default.
> 
> This vulnerability has been fixed in drupal5_5.5-1 and  
> drupal_4.7.10-1, now in sid and in testing as soon as the one day  
> delay is over. There is no drupal in etch.
Thank you for the information. I do not yet see any CVE id 
for this issue. Did anyone request one so far?
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20071208/195c7478/attachment.pgp