Debian: New drupal packages fix execution of arbitrary web script code
Summary
A SQL injection vulnerability has been discovered in the "count" and
"from" variables of the database interface.
CVE-2006-2743
Multiple file extensions were handled incorrectly if Drupal ran on
Apache with mod_mime enabled.
CVE-2006-2831
A variation of CVE-2006-2743 was adressed as well.
CVE-2006-2832
A Cross-Site-Scripting vulnerability in the upload module has been
discovered.
CVE-2006-2833
A Cross-Site-Scripting vulnerability in the taxonomy module has been
discovered.
For the stable distribution (sarge) these problems have been fixed in
version 4.5.3-6.1sarge1.
For the unstable distribution (sid) these problems have been fixed in
version 4.5.8-1.1.
We recommend that you upgrade your drupal packages.
Upgrade Instructions
- --------------------wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
Size/MD5 checksum: 625 8323ad6164c5beb6e9c7631272fbaee8
Size/MD5 checksum: 83802 35863480a9da96adbe6731b014d204c8
Size/MD5 checksum: 471540 bf093c4c8aca7bba62833ea1df35702f
Architecture independent components:
Size/MD5 checksum: 506884 e4cdba2730662752d8f83fc101ab58a5
These files will probably be moved into the stable distribution on
its next update.
For dpkg-ftp: dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org