Debian: New drupal packages fix execution of arbitrary web script code (revised packages)
Summary
CVE-2006-2742
A SQL injection vulnerability has been discovered in the "count" and
"from" variables of the database interface.
CVE-2006-2743
Multiple file extensions were handled incorrectly if Drupal ran on
Apache with mod_mime enabled.
CVE-2006-2831
A variation of CVE-2006-2743 was adressed as well.
CVE-2006-2832
A Cross-Site-Scripting vulnerability in the upload module has been
discovered.
CVE-2006-2833
A Cross-Site-Scripting vulnerability in the taxonomy module has been
discovered.
For the stable distribution (sarge) these problems have been fixed in
version 4.5.3-6.1sarge2.
For the unstable distribution (sid) these problems have been fixed in
version 4.5.8-1.1.
We recommend that you upgrade your drupal packages.
Upgrade Instructions
- --------------------wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
Size/MD5 checksum: 625 24ef680aad55f19a2d55243f1cc3b0e6
Size/MD5 checksum: 83921 9c523e0320c94d975626cecbeccc440c
Size/MD5 checksum: 471540 bf093c4c8aca7bba62833ea1df35702f
Architecture independent components:
Size/MD5 checksum: 503110 e9b642fcb28e0ccd797f38b598d3a756
These files will probably be moved into the stable distribution on
its next update.
For dpkg-ftp: dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org