Closed
Bug 459130
Opened 16 years ago
Closed 16 years ago
Security patch from drupal.org needs to be applied to spreadfirefox.com
Categories
(Infrastructure & Operations Graveyard :: WebOps: Other, task)
Infrastructure & Operations Graveyard
WebOps: Other
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: paul, Assigned: justdave)
References
()
Details
Hello,
Can i get clearance to commit the following security patch from drupal.org ..
http://drupal.org/files/sa-2008-060/SA-2008-060-5.10.patch
I'll then do final testing on spreadfirefox stage.
------------SA-2008-060 - DRUPAL CORE - MULTIPLE VULNERABILITIES------------
* Advisory ID: DRUPAL-SA-2008-060
* Project: Drupal core
* Versions: 5.x and 6.x
* Date: 2008-October-8
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Multiple vulnerabilities
------------DESCRIPTION------------
Multiple vulnerabilities and weaknesses were discovered in Drupal.
------------FILE UPLOAD ACCESS BYPASS------------
A logic error in the core upload module validation allowed unprivileged users
to attach files to content. This bug affects Drupal 6.x only.
Users can view files attached to content which they do not otherwise have
access to. This bug affects Drupal 5.x only.
If the core upload module is not enabled, your site will not be affected.
------------ACCESS RULES BYPASS------------
A deficiency in the user module allowed users who had been blocked by access
rules to continue logging into the site under certain conditions.
If you do not use the 'access rules' functionality in core, your site will not
be affected.
This bug affects both Drupal 5.x and Drupal 6.x.
------------BLOGAPI ACCESS BYPASS------------
The BlogAPI module does not implement correct validation for certain content
fields, allowing for values to be set for fields which would otherwise be
inaccessible on an internal Drupal form. We have hardened these checks in
BlogAPI module for this release, but the security team would like to re-iterate
that the 'Administer content with BlogAPI' permission should only be given to
trusted users.
If the core BlogAPI module is not enabled, your site will not be affected.
This bug affects both Drupal 5.x and Drupal 6.x.
------------NODE VALIDATION BYPASS------------
A weakness in the node module API [
http://api.drupal.org/api/function/hook_nodeapi ] allowed for node validation to
be bypassed in certain circumstances for contributed modules implementing the
API. Additional checks have been added to ensure that validation is performed in
all cases. This vulnerability only affects sites using one of a very small
number of contributed modules, all of which will continue to work correctly with
the improved API. None of them were found vulnerable, so our correction is a
preventative measure.
This bug affects Drupal 5.x only.
------------VERSIONS AFFECTED------------
* Drupal 5.x before version 5.11
* Drupal 6.x before version 6.5
------------SOLUTION------------
Install the latest version:
* If you are running Drupal 5.x then upgrade to Drupal 5.11 [
http://ftp.drupal.org/files/projects/drupal-5.11.tar.gz ].
* If you are running Drupal 6.x then upgrade to Drupal 6.5 [
http://ftp.drupal.org/files/projects/drupal-6.5.tar.gz ].
Note: the settings.php, robots.txt and .htaccess files have not changed and can
be left as they are if upgrading from the current version of Drupal.
If you are unable to upgrade immediately, you can apply a patch to secure your
installation until you are able to do a proper upgrade. The patches fix security
vulnerabilities, but do not contain other fixes which were released in these
versions.
* To patch Drupal 5.10 use SA-2008-060-5.10.patch [
http://drupal.org/files/sa-2008-060/SA-2008-060-5.10.patch ].
* To patch Drupal 6.4 use SA-2008-047-6.4.patch [
http://drupal.org/files/sa-2008-060/SA-2008-060-6.4.patch ].
------------REPORTED BY------------
* The upload module flaw was reported by Damien Tournoud [
http://drupal.org/user/22211 ]*
* The access rules bypass was reported by jry2000 [
http://drupal.org/user/124456 ] and Stéphane Corlosquet [
http://drupal.org/user/52142 ]*
* The BlogAPI vulnerability was reported by Caleb Delnay [
http://drupal.org/user/115182 ], Gábor Hojtsy [ http://drupal.org/user/4166 ]*
and Heine Deelstra [ http://drupal.org/user/17943 ]*
* The node modules vulnerability was reported by Derek Wright [
http://drupal.org/user/46549 ]*
Names marked with asterisk are members of the Drupal security team [
http://drupal.org/security-team ].
------------CONTACT------------
The security team for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ].
|
||
Comment 1•16 years ago
|
||
(In reply to comment #0)
> Can i get clearance to commit the following security patch from drupal.org ..
> http://drupal.org/files/sa-2008-060/SA-2008-060-5.10.patch
morgamic/buchanae, a= please? Let's get this patched ASAP.
OS: Mac OS X → All
Hardware: PC → All
|
||
Comment 2•16 years ago
|
||
Yes, please go ahead so we can test stage. a=morgamic
Thanks, Paul.
|
||
Comment 4•16 years ago
|
||
alix, stephend, want to QA this and give the green light for production?
changes should be on spreadfirefox.authstage.mozilla.com
|
||
Comment 5•16 years ago
|
||
I:
* re-ran my Selenium testsuite (http://viewvc.svn.mozilla.org/vc/projects/spreadfirefox.com/tests/spreadfirefox_bft.html?view=markup); it'll need to be updated to accomodate the changes to the Affiliates pages, but the other parts pass
* signed up for an account
* successfully changed my password
...all on spreadfirefox.authstage.mozilla.com
Paul: anything specific I and Alex should be looking for while testing?
|
|
||
Comment 6•16 years ago
|
||
Stephend, the patch was all to core includes and modules and all the patches applied successfully. If the main functions work, I'd say let's get this pushed
|
|
||
Comment 7•16 years ago
|
||
(In reply to comment #6)
> Stephend, the patch was all to core includes and modules and all the patches
> applied successfully. If the main functions work, I'd say let's get this
> pushed
Seconded; the script covers a fair amount of functionality, and all the important things are tested either through it or via my manual testing.
|
|
||
Comment 8•16 years ago
|
||
tagged production in r18979
over to IT for an svn up and run update.php please
thanks!
Assignee: nobody → server-ops
Component: spreadfirefox.com → Server Operations: Web Content Push
Product: Websites → mozilla.org
QA Contact: spreadfirefox-com → mrz
Version: unspecified → other
|
Assignee | |
Updated•16 years ago
|
Assignee: server-ops → justdave
|
|
Assignee | |
Comment 9•16 years ago
|
||
U modules/upload/upload.module
U modules/node/node.module
U modules/og/og.module
U modules/blogapi/blogapi.module
U modules/user/user.module
U .
Updated to revision 18979.
update.php says no schema changes needed.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
||
Updated•11 years ago
|
Component: Server Operations: Web Operations → WebOps: Other
Product: mozilla.org → Infrastructure & Operations
|
||
Updated•6 years ago
|
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•