Closed Bug 463423 Opened 16 years ago Closed 16 years ago

CCK needs to be upgraded.

Categories

(Infrastructure & Operations Graveyard :: WebOps: Other, task)

Product:
Infrastructure & Operations Graveyard
Component:
WebOps: Other
Type:
task
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: paul, Assigned: reed)

References

(
URL
)

Details

Can we please upgrade CCK, thanks


------------SA-2008-069 - CCK FOR 5.X AND 6.X - XSS VULNERABILITIES------------

 * Advisory ID: DRUPAL-SA-2008-069

 * Project: Content Construction Kit (third-party module)

 * Versions: 5.x, 6.x

 * Date: 2008-November-5

 * Security risk: Minor

 * Exploitable from: Remote

 * Vulnerability: Cross site scripting

------------DESCRIPTION------------

The Content Construction Kit (CCK) allows certain privileged users to add
custom fields to content types using a web browser.

Some field labels and content-type names are displayed without appropriate
filtering in the administrative interface. Malicious users with the "administer
content" permission are able to exploit this issue and insert arbitrary HTML and
script code into pages. Such a cross site scripting attack (XSS) may lead to the
malicious user gaining full administrative access.

This is only an issue if you need any role separation between administrators
and users with the "administer content" permission.

------------VERSIONS AFFECTED------------

 * CCK for Drupal 5.x prior to 5.x-1.10

 * CCK for Drupal 6.x prior to 6.x-2.0 (including all RC releases)

Drupal core is not affected. If you do not use the contributed CCK module,
there is nothing you need to do.

------------SOLUTION------------

Install the latest version:

 * For Drupal 5.x, install CCK 5.x-1.10 [ http://drupal.org/node/330570 ]

 * For Drupal 6.x, install CCK 6.x-2.0 [ http://drupal.org/node/330573 ]

See also the CCK project page [ http://drupal.org/project/cck ].

------------REPORTED BY------------

The cross site scripting issue was reported by CCK maintainers.
r19570 commits patch to trunk.

r19571 tags upgrade for production.

over to IT for svn up and updates.php run please

Thanks!
Assignee: nobody → server-ops
Severity: critical → major
Component: spreadfirefox.com → Server Operations: Web Content Push
OS: Mac OS X → All
Product: Websites → mozilla.org
QA Contact: spreadfirefox-com → mrz
Hardware: PC → All
Version: unspecified → other
(In reply to comment #2)
> over to IT for svn up and updates.php run please

[root@mradm02 www.spreadfirefox.com]# svn up
U    sites/all/modules/cck/content_panels.inc
U    sites/all/modules/cck/userreference.info
U    sites/all/modules/cck/nodereference.module
U    sites/all/modules/cck/fieldgroup.info
U    sites/all/modules/cck/content_copy.info
U    sites/all/modules/cck/CHANGELOG.txt
U    sites/all/modules/cck/text.info
U    sites/all/modules/cck/po/cck.pot
U    sites/all/modules/cck/po/de.po
U    sites/all/modules/cck/po/nl.po
U    sites/all/modules/cck/userreference.module
U    sites/all/modules/cck/number.info
U    sites/all/modules/cck/content_copy.module
U    sites/all/modules/cck/optionwidgets.info
U    sites/all/modules/cck/nodereference.info
U    sites/all/modules/cck/content_crud.inc
U    sites/all/modules/cck/content_views.inc
U    sites/all/modules/cck/content.info
U    sites/all/modules/cck/text.module
U    sites/all/modules/cck/number.module
 U   sites/all/modules/cck
Updated to revision 19571.

There weren't any updates.
Assignee: server-ops → reed
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Component: Server Operations: Web Operations → WebOps: Other
Product: mozilla.org → Infrastructure & Operations
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.