Drupal5: SA-2007-031, SA-2008-005,SA-2008-006: SQL injection and XSS

Sorry for first patch, i recreate it with dpatch system now.

Hardy not affected, affected only Guitsy and Feisty (patch attached)

Hi Emanuele,

I checked the diff and found that the security patch from drupal is not fixed (see http://drupal.org/drupal-5.5 and http://drupal.org/node/198321)

would you fix this too and add the new security fixes SA-2008-0005 and SA-2008-0006 to the gutsy and feisty package?

SA-2008-0007 is just an advisory to disable register_globals in your local php/apache configuration ;)

Thanks Stephan Hermann, this LP bug was for SA-2007-031, but tomorrow i will see && fix other bugs too.

Cheers,

Eamanuele

drupal5 (5.2-2ubuntu2.2) gutsy-security; urgency=low

  * SECURITY UPDATE: (LP: 181984)
    - SA-2007-031: SQL injection posssible when certain
      contribuited modules are enabled
    - SA-2008-005: Cross site request forgery
    - SA-2008-006: Cross site scripting (UTF8)
  * References:
    - SA-2007-031: http://drupal.org/node/198162
    - SA-2008-005: http://drupal.org/node/208562
    - SA-2008-006: http://drupal.org/node/208564

 -- Emanuele Gentili <email address hidden> Tue, 15 Jan 2008 13:57:17 +0100

drupal (5.1-0ubuntu2.3) feisty-security; urgency=low

  * SECURITY UPDATE: (LP: 181984)
    - SA-2007-031: SQL injection posssible when certain
      contribuited modules are enabled
    - SA-2008-005: Cross site request forgery
    - SA-2008-006: Cross site scripting (UTF8)
  * References:
    - SA-2007-031: http://drupal.org/node/198162
    - SA-2008-005: http://drupal.org/node/208562
    - SA-2008-006: http://drupal.org/node/208564

 -- Emanuele Gentili <email address hidden> Wed, 16 Jan 2008 01:29:22 +0100

corrected debdiff to feisty.

Upstream re-fix SA-2007-031 patch, and I update debdiff with it.

Upstream re-fix SA-2007-031 patch, and I update debdiff with it. (for feisty too)

ultimate fix, now done for uploading. (gutsy)

ultimate fix, now done for uploading. (feisty)

Emanuele, I have uploaded the updated gutsy package, but the feisty debdiff does not match up with upstream. These are the changes I am seeing (from upstream SA-2008-005-5.5.patch to the 28_SA-2008-005-5.5.dpatch
< + 'callback' => 'drupal_get_form',
---
> + 'callback' => 'drupal_get_from',

In the future, when supplying debdiffs, please try to use the 'patch' program when possible rather than manually editing when at all possible, and test the program to make sure it works properly. As this was such a small change, I have edited the patch and have uploaded it. Thanks for you work on this!