Ubuntu
drupal6 package

Drupal 6.15 - Security patches released

Bug #510421 reported by Blastoff
272
This bug affects 3 people
Affects Status Importance Assigned to Milestone
drupal5 (Ubuntu)
Invalid
Undecided
Unassigned
Jaunty
Fix Released
Undecided
Unassigned
Karmic
Fix Released
Undecided
Unassigned
Lucid
Invalid
Undecided
Unassigned
drupal6 (Ubuntu)
Fix Released
Low
Unassigned
Jaunty
Fix Released
Undecided
Unassigned
Karmic
Fix Released
Undecided
Unassigned
Lucid
Fix Released
Low
Unassigned

Bug Description

Binary package hint: drupal6

It appears from the Karmic's changelog that Drupal hasn't been updated since Sat, 10 Oct 2009.
The latest Drupal 6 update (6.15), released on December 16, 2009, contains a fix for an XSS vulnerability.

You can read about it at http://drupal.org/node/661600

Tags: patch
Blastoff (wolph)
visibility: private → public
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in drupal6 (Ubuntu):
importance: Undecided → Low
status: New → Confirmed
Revision history for this message
Artur Rona (ari-tczew) wrote :

I'll take this one. Will be done after final close bug 431080.
Note: 6.15 version is current available in lucid, so bug is affecting jaunty and karmic releases. Should be tasked.

Changed in drupal6 (Ubuntu):
assignee: nobody → Artur Rona (ari-tczew)
Revision history for this message
Artur Rona (ari-tczew) wrote :

No longer drupal5 in lucid.

Changed in drupal5 (Ubuntu Lucid):
status: New → Invalid
Revision history for this message
Artur Rona (ari-tczew) wrote :

drupal6 (6.15-1) unstable; urgency=low

  * New upstream release (Closes: #561726)
    - Fixes several XSS vulnerabilities (Closes: #562165)
      (Ref: SA-CORE-2009-009, CVE-2009-4369, CVE-2009-4370, CVE-2009-4371)

  * debian/rules
    - Use dh_prep instead of dh_clean -k

  * debian/control
    - Upgraded versioned dependency on debhelper to 7

  * debian/README.source
    - Added directions on source handling
 -- Ubuntu Archive Auto-Sync < <email address hidden>> Mon, 18 Jan 2010 07:30:21 +0000

Changed in drupal6 (Ubuntu Lucid):
status: Confirmed → Fix Released
assignee: Artur Rona (ari-tczew) → nobody
Changed in drupal5 (Ubuntu Jaunty):
assignee: nobody → Artur Rona (ari-tczew)
Changed in drupal5 (Ubuntu Karmic):
assignee: nobody → Artur Rona (ari-tczew)
Changed in drupal6 (Ubuntu Jaunty):
assignee: nobody → Artur Rona (ari-tczew)
Changed in drupal6 (Ubuntu Karmic):
assignee: nobody → Artur Rona (ari-tczew)
Revision history for this message
Yves (k-launchpad-fort-knox-org) wrote :

Is a fix still planned for jaunty? It's been a week since the fix for lucid was released, if not I can create my own. However if you are planning on a release, then I don't need to :)

Revision history for this message
Artur Rona (ari-tczew) wrote :

Of course, I'm going to fix issue in jaunty and karmic both for drupal5 and drupal6, so you don't need spend time on this. At the latest patch will be uploaded @ next week.

Artur Rona (ari-tczew)
Changed in drupal5 (Ubuntu Jaunty):
status: New → Confirmed
Changed in drupal5 (Ubuntu Karmic):
status: New → Confirmed
Artur Rona (ari-tczew)
Changed in drupal5 (Ubuntu Jaunty):
status: Confirmed → In Progress
Changed in drupal5 (Ubuntu Karmic):
status: Confirmed → In Progress
Revision history for this message
Artur Rona (ari-tczew) wrote :
tags: added: patch
Changed in drupal5 (Ubuntu Jaunty):
assignee: Artur Rona (ari-tczew) → nobody
status: In Progress → Confirmed
Artur Rona (ari-tczew)
Changed in drupal5 (Ubuntu Karmic):
assignee: Artur Rona (ari-tczew) → nobody
status: In Progress → Confirmed
Artur Rona (ari-tczew)
Changed in drupal6 (Ubuntu Jaunty):
assignee: Artur Rona (ari-tczew) → nobody
status: New → Confirmed
Changed in drupal6 (Ubuntu Karmic):
assignee: Artur Rona (ari-tczew) → nobody
status: New → Confirmed
Changed in drupal6 (Ubuntu Jaunty):
assignee: nobody → Artur Rona (ari-tczew)
status: Confirmed → In Progress
Changed in drupal6 (Ubuntu Karmic):
assignee: nobody → Artur Rona (ari-tczew)
status: Confirmed → In Progress
Artur Rona (ari-tczew)
Changed in drupal6 (Ubuntu Jaunty):
assignee: Artur Rona (ari-tczew) → nobody
status: In Progress → Confirmed
Revision history for this message
Artur Rona (ari-tczew) wrote :
Revision history for this message
Artur Rona (ari-tczew) wrote :
Revision history for this message
Artur Rona (ari-tczew) wrote :
Changed in drupal6 (Ubuntu Karmic):
assignee: Artur Rona (ari-tczew) → nobody
status: In Progress → Confirmed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for the debdiffs Artur, the updated packages have been uploaded.

Next time, could you please use the updated patch tagging guidelines, as we've now switched to Debian's format:

http://dep.debian.net/deps/dep3/

Changed in drupal5 (Ubuntu Jaunty):
status: Confirmed → Fix Committed
Changed in drupal5 (Ubuntu Karmic):
status: Confirmed → Fix Committed
Changed in drupal6 (Ubuntu Jaunty):
status: Confirmed → Fix Committed
Changed in drupal6 (Ubuntu Karmic):
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package drupal6 - 6.12-1.1ubuntu1.1

---------------
drupal6 (6.12-1.1ubuntu1.1) karmic-security; urgency=low

  * debian/patches/22_SA-CORE-2009-009.dpatch:
    - SECURITY UPDATE due to multiple vulnerabilities
      and weaknesses were discovered in Drupal (LP: #510421)
    - CVE-2009-4369
    - CVE-2009-4370
    - CVE-2009-4371
 -- Artur Rona <email address hidden> Mon, 22 Feb 2010 00:13:26 +0100

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package drupal5 - 5.18-1.1ubuntu2.1

---------------
drupal5 (5.18-1.1ubuntu2.1) karmic-security; urgency=low

  * debian/patches/22_SA-CORE-2009-009.dpatch:
    - SECURITY UPDATE due to multiple vulnerabilities
      and weaknesses were discovered in Drupal (LP: #510421)
    - CVE-2009-4369
    - CVE-2009-4370
    - CVE-2009-4371
 -- Artur Rona <email address hidden> Mon, 22 Feb 2010 00:11:25 +0100

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package drupal6 - 6.10-1ubuntu0.2

---------------
drupal6 (6.10-1ubuntu0.2) jaunty-security; urgency=low

  * debian/patches/22_SA-CORE-2009-009.dpatch:
    - SECURITY UPDATE due to multiple vulnerabilities
      and weaknesses were discovered in Drupal (LP: #510421)
    - CVE-2009-4369
    - CVE-2009-4370
    - CVE-2009-4371
 -- Artur Rona <email address hidden> Mon, 22 Feb 2010 00:12:33 +0100

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package drupal5 - 5.15-1ubuntu1.2

---------------
drupal5 (5.15-1ubuntu1.2) jaunty-security; urgency=low

  * debian/patches/22_SA-CORE-2009-009.dpatch:
    - SECURITY UPDATE due to multiple vulnerabilities
      and weaknesses were discovered in Drupal (LP: #510421)
    - CVE-2009-4369
    - CVE-2009-4370
    - CVE-2009-4371
 -- Artur Rona <email address hidden> Sun, 21 Feb 2010 22:00:32 +0100

Changed in drupal5 (Ubuntu Jaunty):
status: Fix Committed → Fix Released
Changed in drupal5 (Ubuntu Karmic):
status: Fix Committed → Fix Released
Changed in drupal6 (Ubuntu Jaunty):
status: Fix Committed → Fix Released
Changed in drupal6 (Ubuntu Karmic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.