Ubuntu
drupal6 package

Drupal 6.14 released to fix multiple critical security vulnerabilities

Bug #431078 reported by Scott Testerman
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
drupal6 (Ubuntu)
Incomplete
Undecided
Unassigned
Jaunty
Incomplete
Undecided
Unassigned
Karmic
Incomplete
Undecided
Unassigned

Bug Description

Binary package hint: drupal6

Drupal 6.14 has been released to fix multiple critical security vulnerabilities, as well as other, smaller issues. No new functionality has been included. Full details about the security issues addressed by this bugfix are available at http://drupal.org/node/579482 . The release announcement can be found at http://drupal.org/drupal-6.14 .

Drupal 6.14 is not yet available upstream for merging.

Vulnerabilities fixed are:
* OpenID association cross site request forgery vulnerability;
* OpenID impersonation vulnerability;
* File upload creates files that are executable by Apache vulnerability.

New upstream (non-Debian) version:
ftp://ftp.osuosl.org/pub/drupal/files/projects/drupal-6.14.tar.gz

See original description
Scott Testerman (scott-testerman)
visibility: private → public
Revision history for this message
Scott Testerman (scott-testerman) wrote :

Diff attached for Jaunty

description: updated
Revision history for this message
Scott Testerman (scott-testerman) wrote :

Diff attached for Karmic

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and taking the time to report a bug. This package is in universe and is community supported. I see that you have attached patches to update the Ubuntu packages to the new upstream version. While this work is appreciated, we cannot publish your patches because this does not follow Ubuntu's policy of backporting security patches. If you are able, perhaps you could prepare debdiffs to fix this by following https://wiki.ubuntu.com/SecurityUpdateProcedures.

Changed in drupal6 (Ubuntu Jaunty):
status: New → Confirmed
Changed in drupal6 (Ubuntu Karmic):
status: New → Confirmed
Revision history for this message
Scott Testerman (scott-testerman) wrote :

Drupal6 debdiffs dutifully done.

Please note that these are likely larger than the normal patch, in order to comply with Drupal-supported upgrade methods.

I apologize for not following proper procedure earlier. Please don't dispatch me to the outer circles of Vista.

Revision history for this message
Scott Testerman (scott-testerman) wrote :
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for the debdiffs Scott! What testing was performed for each of these? Please see https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Testing for details.

Changed in drupal6 (Ubuntu Jaunty):
status: Confirmed → In Progress
Changed in drupal6 (Ubuntu Karmic):
status: Confirmed → In Progress
Revision history for this message
Kees Cook (kees) wrote :

I'm afraid these debdiffs are not minimal changes -- we don't normally do full version upgrades; we cherry-pick fixes from upstream and apply those to the existing stable releases.

Changed in drupal6 (Ubuntu Jaunty):
status: In Progress → Incomplete
Changed in drupal6 (Ubuntu Karmic):
status: In Progress → Incomplete
Revision history for this message
Blastoff (wolph) wrote :

As Scott mentioned, "No new functionality has been included." It's a minor version upgrade, not a full version upgrade, and it would be much better than having vulnerable software available in the repositories.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.