Fix critical security issues in drupal packages

Diff attached for Hardy

Diff attached for Intrepid

Diff attached for Jaunty

Diff attached for Karmic

Thank you for using Ubuntu and taking the time to report a bug. This package is in universe and is community supported. I see that you have attached patches to update the Ubuntu packages to the new upstream version. While this work is appreciated, we cannot publish your patches because this does not follow Ubuntu's policy of backporting security patches. If you are able, perhaps you could prepare debdiffs to fix this by following https://wiki.ubuntu.com/SecurityUpdateProcedures.

Drupal5 debdiffs dutifully done.

Thanks for the debdiffs Scott! What testing was performed for each of these? Please see https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Testing for details.

Hi again Scott. :) As mentioned int he Drupal 6.x bug, we only use minimal-change patches. Please see item 2 in the Security Update wiki: https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Patch

Thanks!

 drupal5 (5.20-1) unstable; urgency=low

   * New upstream release (Closes: #543940)

   * debian/changelog
     - Bumped Standard-Version to 3.8.3 (no change needed)

 -- Luigi Gangitano <email address hidden> Sun, 20 Sep 2009 01:35:45 +0200

I'm removing all old attachments, because these aren't usefully (no upstream release, just patch include).

Added patch fixing this security bug. Built fine on my-ppa.

https://edge.launchpad.net/~ari-tczew/+archive/drupal/+build/1279670/+files/buildlog_ubuntu-karmic-i386.drupal5_5.18-1.1ubuntu2~ppa0_FULLYBUILT.txt.gz

Hello artur,

Please use patch tagging guidelines as described in

https://wiki.ubuntu.com/UbuntuDevelopment/PatchTaggingGuidelines

Thanks

Added info in patch about:
* Ubuntu
* Upstream
* Patch
I believe that it satisfy you bhavi.

This bug was fixed in the package drupal5 - 5.18-1.1ubuntu2

---------------
drupal5 (5.18-1.1ubuntu2) karmic; urgency=low

  * debian/patches/21_SA-CORE-2009-008.dpatch:
    - Fixed security issues (session fixation),
      see SA-CORE-2009-008 (LP: #431080).
  * debian/README.source: Added for silence lintian's warning.

 -- Artur Rona <email address hidden> Wed, 07 Oct 2009 17:32:47 +0200

Added patch for drupal6 (karmic). Built fine on my-ppa.
http://launchpadlibrarian.net/33412664/buildlog_ubuntu-karmic-i386.drupal6_6.12-1.1ubuntu1~ppa0_FULLYBUILT.txt.gz

I would sponsor and push this in (thanks for the work Artur), but we're past FinalFreeze. Will subscribe motu-release for an exception.

Universe is not past final freeze. Go ahead.

...... Original Message .......
On Thu, 15 Oct 2009 18:50:40 -0000 Michael Terry
<email address hidden> wrote:
>I would sponsor and push this in (thanks for the work Artur), but we're
>past FinalFreeze. Will subscribe motu-release for an exception.
>
>--
>Fix critical security vulnerability (SA-CORE-2009-008)
>https://bugs.launchpad.net/bugs/431080
>You received this bug notification because you are a member of MOTU
>Release Team, which is a direct subscriber.
>
>Status in
drupal5
 package in Ubuntu: Fix Released
>Status in
drupal6
 package in Ubuntu: New
>Status in drupal5 in Ubuntu Hardy: Incomplete
>Status in drupal6 in Ubuntu Hardy: Invalid
>Status in drupal5 in Ubuntu Intrepid: Incomplete
>Status in drupal6 in Ubuntu Intrepid: Invalid
>Status in drupal5 in Ubuntu Jaunty: Triaged
>Status in drupal6 in Ubuntu Jaunty: Triaged
>Status in drupal5 in Ubuntu Karmic: Fix Released
>Status in drupal6 in Ubuntu Karmic: New
>Status in
drupal5
 package in Debian: Fix Released
>Status in
drupal6
 package in Debian: Fix Released
>
>Bug description:
>Binary package hint: drupal5
>
>Full details about the security issue addressed by this bugfix are available at
http://drupal.org/node/579482 . The release announcement can be found at
http://drupal.org/drupal-6.14 .
>
>The vulnerability is:
>* Attacker can fix and reuse a victim's session ID.
>

I uploaded this, so it's in the queue awaiting approval.

This bug was fixed in the package drupal6 - 6.12-1.1ubuntu1

---------------
drupal6 (6.12-1.1ubuntu1) karmic; urgency=high

  * debian/patches/21_SA-CORE-2009-008.dpatch:
    - Fixed security issues (session fixation),
      see SA-CORE-2009-008 (LP: #431080).
  * debian/README.source: Added for silence lintian's warning.

 -- Artur Rona <email address hidden> Sat, 10 Oct 2009 18:42:02 +0200

I don't see a debdiff attached for Jaunty. Why has Jaunty been marked "In Progress"?

I'm setting back to Triaged. Please set to "In Progress" once someone has attached a Jaunty debdiff.

"In Progress" assigned to me says that I'm making a debdiff. I think that should made a debdiff today. Don't panic.

It built fine on my-ppa.

https://edge.launchpad.net/~ari-tczew/+archive/drupal/+build/1306142/+files/buildlog_ubuntu-jaunty-i386.drupal5_5.15-1ubuntu1.1~ppa0_FULLYBUILT.txt.gz

Thanks for the debdiff Artur.

Unfortunately, you forgot to add the patches to debian/patches/00list, so they didn't actually get applied during your test build. If I add them to 00list, they fail to apply properly.

Could you please re-submit a fixed debdiff.

Thanks!

OOops, epic fail :P
deleting old debdiff, preparing refreshed debdiff...

There is a fixed debdiff for jaunty-security. Built fine on my-ppa.
https://edge.launchpad.net/~ari-tczew/+archive/drupal/+build/1307508/+files/buildlog_ubuntu-jaunty-i386.drupal5_5.15-1ubuntu1.1~ppa1_FULLYBUILT.txt.gz

Thanks for the new debdiff! The package is currently building and will be released soon.

Debdiff for jaunty drupal6. It built fine on my-ppa.
https://launchpad.net/~ari-tczew/+archive/drupal/+build/1308115/+files/buildlog_ubuntu-jaunty-i386.drupal6_6.10-1ubuntu0.1~ppa1_FULLYBUILT.txt.gz

Added patch for enable RewriteBase /drupal6 (LP: #371187)
It would be nice if someone will open task on bug #371187 for jaunty and karmic.

Sponsors: your turn.

Debdiffs for hardy and intrepid I'll later, because now I'm very busy. At first please upload debdiffs for:
- drupal5 (jaunty)
- drupal6 (jaunty)
- drupal6 (karmic) (LP: #371187)

I cannot publish the debdiff for jaunty drupal6 as it contains a fix to an issue that is not security related.

The patch for LP: #371187 needs to go though the SRU process:
https://wiki.ubuntu.com/StableReleaseUpdates

Incompatible debdiff has been removed. I've attached debdiff without htaccess patch. If you'll upload this, I can create a new debdiff just for bug #371187

Thanks for the debdiff. Packages are currently building, and will be released Monday.

For some reason, I can't change the status on this bug.

This bug was fixed in the package drupal6 - 6.10-1ubuntu0.1

---------------
drupal6 (6.10-1ubuntu0.1) jaunty-security; urgency=low

  * debian/patches/18_SA-CORE-2009-005.dpatch:
    - Fix cross site scripting, see SA-CORE-2009-005
    - CVE-2009-1576
  * debian/patches/19_SA-CORE-2009-006.dpatch:
    - Fix cross site scripting, see SA-CORE-2009-006
  * debian/patches/20_SA-CORE-2009-007.dpatch:
    - Fix possible password leakage via URLs.
    - CVE-2009-2372
    - CVE-2009-2373
    - CVE-2009-2374
  * debian/patches/21_SA-CORE-2009-008.dpatch:
    - Fix security issues (session fixation),
      see SA-CORE-2009-008 (LP: #431080)

 -- Artur Rona <email address hidden> Sun, 25 Oct 2009 16:19:12 +0100

This bug was fixed in the package drupal5 - 5.15-1ubuntu1.1

---------------
drupal5 (5.15-1ubuntu1.1) jaunty-security; urgency=low

  * debian/patches/18_SA-CORE-2009-005.dpatch:
    - Fix cross site scripting, see SA-CORE-2009-005
    - CVE-2009-1576
  * debian/patches/19_SA-CORE-2009-006.dpatch:
    - Fix cross site scripting, see SA-CORE-2009-006
  * debian/patches/20_SA-CORE-2009-007.dpatch:
    - Fix possible password leakage via URLs.
    - CVE-2009-2372
    - CVE-2009-2373
    - CVE-2009-2374
  * debian/patches/21_SA-CORE-2009-008.dpatch:
    - Fix security issues (session fixation),
      see SA-CORE-2009-008 (LP: #431080)

 -- Artur Rona <email address hidden> Sat, 24 Oct 2009 23:32:18 +0200

patches for intrepid

Sponsors, go ahead.

There are no patches any more. Therefore I unsubscribe ubuntu-universe-sponsors for now. Please resubscribe us when there is something to sponsor.

This is building in the security queue now. Thanks!

This bug was fixed in the package drupal5 - 5.10-1ubuntu1.1

---------------
drupal5 (5.10-1ubuntu1.1) intrepid-security; urgency=low

  * SECURITY UPDATE: Multiple vulnerabilities and weaknesses
    were discovered in Drupal. (LP: #431080):
    - 14_SA-2008-060
    - 15_SA-2008-067
    - 16_SA-2008-073
    - 17_SA-CORE-2009-001
    - 18_SA-CORE-2009-005
    - 19_SA-CORE-2009-006
    - 20_SA-CORE-2009-007
    - 21_SA-CORE-2009-008
    - 22_SA-CORE-2009-009

  * Fixes:
    - CVE-2008-6171
    - CVE-2008-6532
    - CVE-2008-6533
    - CVE-2009-1576
    - CVE-2009-2372
    - CVE-2009-2373
    - CVE-2009-2374
 -- Artur Rona <email address hidden> Tue, 22 Dec 2009 01:00:27 +0100

There is no debdiff for Hardy yet. As such, I am removing ubuntu-security-sponsors. Please resubscribe ubuntu-security-sponsors once a debdiff for Hardy has been submitted.

Thanks.

(Unsubscribing ubuntu-sru, since this is a security update)

Hardy ACK'd. Packages are being built now. Thanks!

This bug was fixed in the package drupal5 - 5.7-1ubuntu1.2

---------------
drupal5 (5.7-1ubuntu1.2) hardy-security; urgency=low

  * SECURITY UPDATE: Multiple vulnerabilities and weaknesses
    were discovered in Drupal. (LP: #431080):
    - 13_SA-2008-047
    - 14_SA-2008-060
    - 15_SA-2008-067
    - 16_SA-2008-073
    - 17_SA-CORE-2009-001
    - 18_SA-CORE-2009-005
    - 19_SA-CORE-2009-006
    - 20_SA-CORE-2009-007
    - 21_SA-CORE-2009-008
    - 22_SA-CORE-2009-009

  * Fixes:
    - CVE-2008-6171
    - CVE-2008-6532
    - CVE-2008-6533
    - CVE-2009-1576
    - CVE-2009-2372
    - CVE-2009-2373
    - CVE-2009-2374
    - CVE-2009-4370
 -- Artur Rona <email address hidden> Sun, 31 Jan 2010 14:40:34 +0100