Ubuntu
drupal5 package

backport security fixes from 6.19 and 5.23

  1. Lucid (10.04)
  2. Bug #539056
Bug #539056 reported by matthewcford
268
This bug affects 1 person
Affects Status Importance Assigned to Milestone
drupal5 (Ubuntu)
Invalid
Undecided
Unassigned
Hardy
Fix Released
Medium
Unassigned
Jaunty
Won't Fix
Undecided
Unassigned
Karmic
Fix Released
Medium
Unassigned
Lucid
Invalid
Undecided
Unassigned
Maverick
Invalid
Undecided
Unassigned
drupal6 (Ubuntu)
Fix Released
Medium
Artur Rona
Hardy
Invalid
Undecided
Unassigned
Jaunty
Won't Fix
Undecided
Unassigned
Karmic
Fix Released
Medium
Artur Rona
Lucid
Fix Released
Medium
Unassigned
Maverick
Fix Released
Medium
Artur Rona

Bug Description

Binary package hint: drupal6

It seems that there is another security path for drupal to version 6.16

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Confirmed:

http://drupal.org/node/731710

visibility: private → public
Changed in drupal6 (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Artur Rona (ari-tczew) wrote :

Next time please subscribe motu-swat as team enlightened to fixing universe issues.

I'm on it. I'll fix it at the latest in may.

Artur Rona (ari-tczew)
Changed in drupal6 (Ubuntu):
assignee: nobody → Artur Rona (ari-tczew)
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Lucid now has 6.16-1.

summary: - securty upgrade to version 6.16
+ backport security fixes from 6.16
Changed in drupal6 (Ubuntu):
status: Confirmed → Fix Released
Changed in drupal6 (Ubuntu Lucid):
status: New → Fix Released
Changed in drupal6 (Ubuntu Jaunty):
status: New → Confirmed
Changed in drupal6 (Ubuntu Karmic):
status: New → Confirmed
Changed in drupal5 (Ubuntu Hardy):
status: New → Confirmed
Changed in drupal5 (Ubuntu Jaunty):
status: New → Confirmed
Changed in drupal5 (Ubuntu Karmic):
status: New → Confirmed
summary: - backport security fixes from 6.16
+ backport security fixes from 6.16 and 5.22
Jamie Strandboge (jdstrand)
Changed in drupal5 (Ubuntu):
status: New → Invalid
Changed in drupal6 (Ubuntu Hardy):
status: New → Invalid
Changed in drupal5 (Ubuntu Lucid):
status: New → Invalid
Artur Rona (ari-tczew)
Changed in drupal6 (Ubuntu Karmic):
assignee: nobody → Artur Rona (ari-tczew)
status: Confirmed → In Progress
Revision history for this message
Artur Rona (ari-tczew) wrote : Re: backport security fixes from 6.16 and 5.22

Jaunty is End Of Life.

Changed in drupal5 (Ubuntu Jaunty):
status: Confirmed → Won't Fix
Changed in drupal6 (Ubuntu Jaunty):
status: Confirmed → Won't Fix
Artur Rona (ari-tczew)
summary: - backport security fixes from 6.16 and 5.22
+ backport security fixes from 6.19 and 5.23
Revision history for this message
Artur Rona (ari-tczew) wrote :

Sending patches to Bazaar was a bad idea. Bzr damages patches. I'm attaching debdiffs.

Revision history for this message
Artur Rona (ari-tczew) wrote :
Revision history for this message
Artur Rona (ari-tczew) wrote :
Revision history for this message
Artur Rona (ari-tczew) wrote :
Revision history for this message
Artur Rona (ari-tczew) wrote :
Changed in drupal6 (Ubuntu Karmic):
assignee: Artur Rona (ari-tczew) → nobody
status: In Progress → Confirmed
Revision history for this message
Artur Rona (ari-tczew) wrote :

Reopening as lucid is affected by new issue for which I attached a fix.

Changed in drupal6 (Ubuntu Lucid):
status: Fix Released → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

New issue is http://drupal.org/node/880476

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for the debdiffs! The karmic and lucid drupal6 debdiffs are missing a portion of the openid patch to fix SA-CORE-2010-002. This also have an unconventional debian/changelog. Please adjust these and attach new patches to this bug, setting the status to 'New' for these tasks. Thanks!

The hardy SA-CORE-2010-001 patch has an unnecessary whitespace change that deviates from SA-CORE-2010-001-5.21.patch provided by upstream. I have adjusted this for future maintenance. Please be careful to not introduce extra changes when preparing debdiffs/uploads.

Finally, what testing has been performed on these packages?

Changed in drupal6 (Ubuntu Karmic):
assignee: nobody → Artur Rona (ari-tczew)
status: Confirmed → Incomplete
Changed in drupal6 (Ubuntu Lucid):
status: Confirmed → Incomplete
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Actually, I mispoke on the hardy debdiff (sorry about that)-- the whitespace change was needed to apply the patch.

Uploaded drupal5 for hardy and karmic to the security PPA. Please give feedback on the testing performed.

Changed in drupal5 (Ubuntu Hardy):
status: Confirmed → In Progress
Changed in drupal5 (Ubuntu Karmic):
status: Confirmed → In Progress
Revision history for this message
Artur Rona (ari-tczew) wrote :

Drupal5 works fine. About drupal6 - I don't know about which module you are talking about. I applied patches which sent to me upstream developer. Nothing else is necessary.

Revision history for this message
Steve Beattie (sbeattie) wrote :

The drupal5 packages were mistakenly uploaded to the private security ppa; I copied them over to the public security-proposed ppa at https://launchpad.net/~ubuntu-security-proposed/+archive/ppa/ ; please test and report feedback here.

For the drupal6 debdiffs, I examined the patch to fix SA-CORE-2010-002; the only difference that I could see between it and the upstream commit at http://git.drupalfr.org/cgi-bin/gitweb.cgi?p=core/new-date.git;a=commitdiff;h=d9e273d82fd427115642f2e6c2fbefcb661a2115 was that the dpatch had dropped the changelog entry, VCS tag id updates, and a gratuitous whitespace change -- I do find it's helpful for reviewers when I adjust patches like that to add a note in the patch header that I've done so.

I adjusted the debian/changelog entries to give a better description of the issues and uploaded the packages to the security proposed ppa, again at https://launchpad.net/~ubuntu-security-proposed/+archive/ppa/ ; please test and report feedback here.

Thanks again!

Changed in drupal6 (Ubuntu Karmic):
status: Incomplete → In Progress
Changed in drupal6 (Ubuntu Lucid):
importance: Undecided → Medium
status: Incomplete → In Progress
Changed in drupal6 (Ubuntu Karmic):
importance: Undecided → Medium
Changed in drupal5 (Ubuntu Karmic):
importance: Undecided → Medium
Changed in drupal5 (Ubuntu Hardy):
importance: Undecided → Medium
Revision history for this message
Steve Beattie (sbeattie) wrote :

After being prompted by Jamie on IRC, I reexamined the differences between the upstream commit and the supplied patch for the openid issue, and the patch in the debdiff is missing the following chunk:

@@ -111,7 +111,7 @@ function openid_form_alter(&$form, $form_state, $form_id) {
       '#weight' => -1,
       '#description' => l(t('What is OpenID?'), 'http://openid.net/', array('external' => TRUE)),
     );
- $form['openid.return_to'] = array('#type' => 'hidden', '#value' => url('openid/authenticate', array('absolute' => TRUE, 'query' => user_login_destination())));
+ $form['openid.return_to'] = array('#type' => 'hidden', '#value' => url('openid/authenticate', array('absolute' => TRUE, 'query' => drupal_get_destination())));
   }
   elseif ($form_id == 'user_register' && isset($_SESSION['openid']['values'])) {
     // We were unable to auto-register a new user. Prefill the registration

Revision history for this message
Steve Beattie (sbeattie) wrote :

Ah, the reason it's missing is because it appears that it's a reversion of the first half of this commit: http://git.drupalfr.org/cgi-bin/gitweb.cgi?p=core/new-date.git;a=commitdiff;h=911582f48961b628e02e8af9899e01885b618e1b ; the line in question in 6.16-1 and 6.12-1.1ubuntu1.1 is already in the post-modified form ('query' already points to drupal_get_destination()), and thus the chunk is unnecessary.

Revision history for this message
Kees Cook (kees) wrote :

Pocket copied drupal5 and drupal6 to -proposed. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Thank you in advance!

tags: added: verification-needed
Changed in drupal5 (Ubuntu Hardy):
status: In Progress → Fix Committed
Changed in drupal5 (Ubuntu Karmic):
status: In Progress → Fix Committed
Changed in drupal6 (Ubuntu Karmic):
status: In Progress → Fix Committed
Changed in drupal6 (Ubuntu Lucid):
status: In Progress → Fix Committed
Revision history for this message
Kees Cook (kees) wrote :

To ubuntu-sru: if this passes the verification process, please also pocket copy to security. Thanks!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package drupal5 - 5.7-1ubuntu1.3

---------------
drupal5 (5.7-1ubuntu1.3) hardy-security; urgency=low

  * SECURITY UPDATE: Multiple vulnerabilities and weaknesses were
    discovered in Drupal (LP: #539056).
    - CVE-2010-3092
    - CVE-2010-3093
    - SA-CORE-2010-001
    - SA-CORE-2010-002
 -- Artur Rona <email address hidden> Mon, 27 Dec 2010 22:35:21 +0100

Changed in drupal5 (Ubuntu Hardy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package drupal5 - 5.18-1.1ubuntu2.2

---------------
drupal5 (5.18-1.1ubuntu2.2) karmic-security; urgency=low

  * SECURITY UPDATE: Multiple vulnerabilities and weaknesses were
    discovered in Drupal (LP: #539056).
    - CVE-2010-3092
    - CVE-2010-3093
    - SA-CORE-2010-001
    - SA-CORE-2010-002
 -- Artur Rona <email address hidden> Mon, 27 Dec 2010 21:57:05 +0100

Changed in drupal5 (Ubuntu Karmic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package drupal6 - 6.12-1.1ubuntu1.2

---------------
drupal6 (6.12-1.1ubuntu1.2) karmic-security; urgency=low

  * SECURITY UPDATE: Multiple vulnerabilities and weaknesses
    (OpenID authentication bypass, file download access bypass,
    comment unpublishing bypass, and actions cross site scripting)
    were discovered in Drupal. (LP: #539056)
    - debian/patches/21_SA-CORE-2010-002.dpatch
    - CVE-2010-3685
    - CVE-2010-3686
    - SA-CORE-2010-002
  * SECURITY UPDATE: Multiple vulnerabilities and weaknesses
    (installation cross site scripting, open redirection, locale
    module cross site scripting and blocked user session regeneration)
    were discovered in Drupal. (LP: #539056)
    - debian/patches/21_SA-CORE-2010-002.dpatch
    - CVE-2010-3091
    - CVE-2010-3092
    - CVE-2010-3093
    - CVE-2010-3094
    - SA-CORE-2010-001
 -- Artur Rona <email address hidden> Tue, 28 Dec 2010 01:56:09 +0100

Changed in drupal6 (Ubuntu Karmic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package drupal6 - 6.16-1ubuntu0.1

---------------
drupal6 (6.16-1ubuntu0.1) lucid-security; urgency=low

  * SECURITY UPDATE: Multiple vulnerabilities and weaknesses
    (OpenID authentication bypass, file download access bypass,
    comment unpublishing bypass, and actions cross site scripting)
    were discovered in Drupal. (LP: #539056)
    - debian/patches/21_SA-CORE-2010-002.dpatch
    - CVE-2010-3685
    - CVE-2010-3686
    - SA-CORE-2010-002
 -- Artur Rona <email address hidden> Tue, 28 Dec 2010 01:23:57 +0100

Changed in drupal6 (Ubuntu Lucid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.