Closed Bug 469100 Opened 16 years ago Closed 16 years ago

Security patch from drupal.org needs to be applied to spreadthunderbird.com

Categories

(Mozilla Messaging Graveyard :: Server Operations, defect)

x86
macOS
defect
Not set
major

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: paul, Unassigned)

References

()

Details

------------SA-2008-073 - DRUPAL CORE - MULTIPLE VULNERABILITIES------------

 * Advisory ID: DRUPAL-SA-2008-073

 * Project: Drupal core

 * Versions: 5.x and 6.x

 * Date: 2008-December-10

 * Security risk: Moderately Critical

 * Exploitable from: Remote

 * Vulnerability: Multiple vulnerabilities

------------DESCRIPTION------------

Multiple vulnerabilities and weaknesses were discovered in Drupal.

CROSS SITE REQUEST FORGERY

The update system is vulnerable to Cross site request forgeries [
http://en.wikipedia.org/wiki/Csrf ]. Malicious users may cause the superuser
(user 1) to execute old updates that may damage the database.

CROSS SITE SCRIPTING

When an input format is deleted, not all existing content on a site is updated
to reflect this deletion. Such content is then displayed unfiltered. This may
lead to cross site scripting [ http://en.wikipedia.org/wiki/Cross-site_scripting
] attacks when harmful tags are no longer stripped from 'malicious' content that
was posted earlier.

------------VERSIONS AFFECTED------------

 * Drupal 5.x before version 5.13

 * Drupal 6.x before version 6.7

------------SOLUTION------------

Install the latest version:

 * If you are running Drupal 5.x then upgrade to Drupal 5.13 [
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz ].

 * If you are running Drupal 6.x then upgrade to Drupal 6.7 [
http://ftp.drupal.org/files/projects/drupal-6.7.tar.gz ].

Note: the robots.txt and .htaccess files have changed and need to be replaced.
The settings.php file has not been changed and can be left as it was if
upgrading from the current version of Drupal.

If you are unable to upgrade immediately, you can apply a patch to secure your
installation until you are able to do a proper upgrade. The patches fix security
vulnerabilities, but do not contain other fixes which were released in these
versions.

 * To patch Drupal 5.12 use SA-2008-073-5.12.patch [
http://drupal.org/files/sa-2008-073/SA-2008-073-5.12.patch ].

 * To patch Drupal 6.6 use SA-2008-073-6.6.patch [
http://drupal.org/files/sa-2008-073/SA-2008-073-6.6.patch ].

------------REPORTED BY------------

Both issues were reported by David Rothstein (David_Rothstein [
http://drupal.org/user/124982 ]).

------------CONTACT------------

The security team for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ].
Summary: Security patch from drupal.org needs to be applied to spreadfirefox.com → Security patch from drupal.org needs to be applied to spreadthunderbird.com
Package, built and installed on staging.

Paul, can you give me the green light to deploy to production as well?
There looks to be a minor problem (affecting our drupal installation) which is going to be resolved later today

http://drupal.org/node/345495

Ill keep you posted.

Paul
The further upgrade to resolve a minor problem looks to be delayed . I think we should push through the changes to production as the changes fix a security issue with core.

The problem currently on stage is as follow.

1. Login
2. Drupal reports that ..

warning: Wrong parameter count for session_set_cookie_params() in /usr/share/drupal/includes/session.inc on line 103.

3. Subsequent pages do not show any warning.


Best, Paul
Couldn't that problem be easily fixed by figuring out what's wrong with that warning and making it go away ?
:-)

The drupal security team are working on this and a further patch is imminent. I am not sure if i should spend company time working on something that is already being worked on by a team of people who already have a good understanding of the security problem.

If things don't change over the weekend and i have some time i will probably take a look though.

Best, Paul
So, do we push the current drupal version to production, with the warning, and hope they have resolved the warning next week, and upgrade again then?

If you are okay with keeping the warning in production over the week-end, I am glad to push the upgrade.

Cheers.
(In reply to comment #6)
> So, do we push the current drupal version to production, with the warning, and
> hope they have resolved the warning next week, and upgrade again then?

I think we should push the changes through as the drupal security team advise that the changes fix a core security problem 
> 
> If you are okay with keeping the warning in production over the week-end, I am
> glad to push the upgrade.
> 
> Cheers.
Dec 12 12:13:19 Updated: drupal - 6.7-1.centos5.noarch
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.