Debian Security Advisory
DSA-958-1 drupal -- several vulnerabilities
- Date Reported:
- 27 Jan 2006
- Affected Packages:
- Security database references:
- In the Bugtraq database (at SecurityFocus): BugTraq ID 15674, BugTraq ID 15677, BugTraq ID 15663.
In Mitre's CVE dictionary: CVE-2005-3973, CVE-2005-3974, CVE-2005-3975.
- More information:
Several security related problems have been discovered in drupal, a fully-featured content management/discussion engine. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities:
Several cross-site scripting vulnerabilities allow remote attackers to inject arbitrary web script or HTML.
When running on PHP5, Drupal does not correctly enforce user privileges, which allows remote attackers to bypass the "access user profiles" permission.
An interpretation conflict allows remote authenticated users to inject arbitrary web script or HTML via HTML in a file with a GIF or JPEG file extension.
The old stable distribution (woody) does not contain drupal packages.
For the stable distribution (sarge) these problems have been fixed in version 4.5.3-5.
For the unstable distribution (sid) these problems have been fixed in version 4.5.6-1.
We recommend that you upgrade your drupal package.
- Fixed in:
Debian GNU/Linux 3.1 (sarge)
- Architecture-independent component:
MD5 checksums of the listed files are available in the original advisory.