-
drupal (5.1-0ubuntu2.3) feisty-security; urgency=low
* SECURITY UPDATE: (LP: 181984)
- SA-2007-031: SQL injection posssible when certain
contribuited modules are enabled
- SA-2008-005: Cross site request forgery
- SA-2008-006: Cross site scripting (UTF8)
* References:
- SA-2007-031: http://drupal.org/node/198162
http://drupal.org/node/198321 (fix for first patch)
- SA-2008-005: http://drupal.org/node/208562 (fixed launchpad debdiff)
- SA-2008-006: http://drupal.org/node/208564
-- Emanuele Gentili <email address hidden> Wed, 16 Jan 2008 01:29:22 +0100
-
drupal (5.1-0ubuntu2.2) feisty-security; urgency=low
* SECURITY UPDATE:
Drupal 5.1 and 5.2 having several security issues, these are:
+ CVE-2007-5593: install.php in Drupal 5.x before 5.3,
when the configured database server is not reachable,
allows remote attackers to execute arbitrary code via
vectors that cause settings.php to be modified.
+ CVE-2007-5594: Drupal 5.x before 5.3 does not apply its
Drupal Forms API protection against the user deletion form,
which allows remote attackers to delete users via a cross-site
request forgery (CSRF) attack.
+ CVE-2007-5595: CRLF injection vulnerability in the drupal_goto
function in includes/common.inc Drupal 4.7.x before 4.7.8
and 5.x before 5.3 allows remote attackers to inject arbitrary
HTTP headers and conduct HTTP response splitting attacks via
unspecified vectors.
+ CVE-2007-5596: The core Upload module in Drupal 4.7.x
before 4.7.8 and 5.x before 5.3 places the .html extension
on a whitelist, which allows remote attackers to conduct
cross-site scripting (XSS) attacks by uploading .html files.
+ CVE-2007-5597: The hook_comments API in Drupal 4.7.x before 4.7.8
and 5.x before 5.3 does not pass publication status, which might
allow attackers to bypass access restrictions and trigger e-mail
with unpublished comments from some modules, as demonstrated by
(1) Organic groups and (2) Subscriptions.
* debian/patches/23_SA-2007-025-5.2.dpatch:
- Applied fix from upstream
(http://drupal.org/files/sa-2007-025/SA-2007-025-5.2.patch)
* debian/patches/25_SA-2007-029-5.2.dpatch:
- Applied fix from upstream
(http://drupal.org/files/sa-2007-029/SA-2007-029-5.2.patch)
* debian/patches/22_SA-2007-024-5.2.dpatch:
- Applied fix from upstream
(http://drupal.org/files/sa-2007-024/SA-2007-024-5.2.patch)
* debian/patches/24_SA-2007-026-5.2.dpatch:
- Applied fix from upstream
(http://drupal.org/files/sa-2007-026/SA-2007-026-5.2.patch)
* debian/patches/26_SA-2007-030-5.2.dpatch:
- Applied fix from upstream
(http://drupal.org/files/sa-2007-030/SA-2007-030-5.2.patch)
* References:
CVE-2007-5593
CVE-2007-5594
CVE-2007-5595
CVE-2007-5596
CVE-2007-5597
-- Stephan Hermann <email address hidden> Tue, 13 Nov 2007 10:39:28 +0100
-
drupal (5.1-0ubuntu2.1) feisty-security; urgency=low
* SECURITY UPDATE:
Drupal 5.1 has some security flaws, which were detected.
Those were remote exploits namely
- Multiple cross site request forgeries
- Multiple cross site scripting vulnerabilities
+ Further readings:
http://drupal.org/node/162364
* debian/patches/*
- Added 20_SA-2007-017-5.1.dpatch, which fixes the cross site request
forgeries
- Added 21_SA-2007-018-5.1.dpatch, which fixes the cross site scripting
vulnerabilities
* References:
+ Drupal Advisories:
- http://drupal.org/node/162360 (SA-2007-017-5.1)
- http://drupal.org/node/162361 (SA-2007-018.5.1)
+ CVE:
- CVE-2007-4064 (Cross Site Scripting Vulnerability)
- CVE-2007-4063 (Cross Site Forgery)
-- Stephan Hermann <email address hidden> Thu, 06 Sep 2007 17:30:34 +0200
-
drupal (5.1-0ubuntu2) feisty; urgency=low
* Rename postgresql-server-8.2 to postgresql-8.2, as the former
doesn't exist. (LP: #106540)
-- Luke Yelavich <email address hidden> Sat, 14 Apr 2007 23:27:34 +1000
-
drupal (5.1-0ubuntu1) feisty; urgency=low
* New upstream release.
* debian/control:
- Changed maintainer field, and added XSBC-Original_Maintainer
field.
- Removed all php4 dependencies.
- Added php5-gd dependency for graphics.
- Changed exim4 dependency to postfix.
- Adjusted postgresql dependencies and recommends.
- Fixed slight grammatical error in package long description.
- Added homepage.
* debian/drupal-5.1*: Renamed and modified for drupal 5.1.
* debian/drupal-5.1.postinst: Add curl command-line to use drupal's
install script to populate the database.
* debian/rules:
- Refined, so that version number only has to be changed once per
new upstream release.
- Removed copying of database files.
* debian/patches/10_cronjob.dpatch: Modified to patch against drupal
5.1, and added patch description.
* debian/etc/*: Updated for drupal 5.1.
* debian/README.Debian: revised.
* Set apache2 as default web server.
-- Luke Yelavich <email address hidden> Mon, 12 Mar 2007 16:49:04 +1100
-
drupal (4.7.6-1) unstable; urgency=low
* New upstream release
- Fixes Arbitrary Code Execution (SA-2007-005) (Ref: CVE-TOBEASSIGNED)
drupal (4.7.5-2) unstable; urgency=low
[ Luigi Gangitano ]
* debian/control
- Bumped Standards-Version to 3.7.2 (no change needed)
- Removed dependency on postgsql-{client,server}-8.0 which is not in
the archive anymore
- Removed Suggests: on ssl enabled apache
- Removed strict dependency on apache*, added dependency on httpd | apache
* debian/watch
- Added debian watch file
* Translations
- Updated Dutch translations by Bart Cornelis
drupal (4.7.5-1) unstable; urgency=low
* New upstream release
- Fixes Denial of Service (DRUPAL-SA-2007-002) (Ref: CVE-2007-0124)
- Fixes CSS Vulnerability (DRUPAL-SA-2007-001) (Ref: CVE-2007-0136)
drupal (4.7.4-3) unstable; urgency=low
* debian/po/fr.po
- Updated French debconf templates translation (Thanks to Thomas Huriaux)
(Closes: #404967)
* debian/control
- Add php5 dependency (Closes: #405162)
drupal (4.7.4-2) unstable; urgency=low
* debian/control
- Fixed dependency on postgresql-client
- Removed dependency on makepasswd (not needed since we use
dbconfig.common)
- Removed dependency on php4-cli (not needed with new cron script)
- Promote Recommends: php4 to Depends: php4
* debian/etc/settings.php
- Fix warning if baseurl.php does not exists
* debian/copyright
- Fixed copyright information as requested by ftp-master
drupal (4.7.4-1) unstable; urgency=low
* Prepare package for new inclusion in Debian
- Thanks to Karl-Heinz Nirschl for keeping this package in his repository
and allowing me to start from his work
- Change (binary) package name to drupal-4.7 allowing for multiple version
to be installed concurrently, so admins can control upgrade between
releases
- Add dependency on dbconfig-common and switch custom config script to use
functions provided by dbconfig-common (Closes: #366692)
- Removed unused templates
- Added dependency on curl for cron script execution
- Take over removal request (Closes: #375496)
- Update to latest revision (Closes: #307821, #365047, #365709)
drupal (4.7.4-0brainlog1) unstable; urgency=low
* new upstream release because patches do not apply cleanly
* fixes: DRUPAL-SA-2006-024, DRUPAL-SA-2006-025, DRUPAL-SA-2006-026
drupal (4.7.2-0brainlog4) unstable; urgency=low
* add security fix DRUPAL-SA-2006-011
XSS Vulnerability in user module
* move scripts dir to doc
drupal (4.7.2-0brainlog3) unstable; urgency=low
* fix initial database generation - now checks for mysql version
drupal (4.7.2-0brainlog2) unstable; urgency=low
* Using a fresh tarball and no .svn files.
* Fix x. permissions.
* Use debian mysql maint password for mysql install
drupal (4.7.2-0brainlog1) unstable; urgency=low
* new upstream release
* add patch handling to package
- make cron job less verbose
drupal (4.7.1-0brainlog1) unstable; urgency=low
* new upstream version
drupal (4.6.5-0brainlog1) unstable; urgency=low
* update to drupal 4.6.5 (new upstream)
drupal (4.6.3-0brainlog1) unstable; urgency=low
* New upstream version (Closes: #307821)
* based on the drupal 4.5.2-4 debian package
* remove the auto update database stuff
* added debconf entry for the base_url
-- Michael Bienia <email address hidden> Wed, 07 Feb 2007 17:14:15 +0000
-
drupal (4.5.8-5) unstable; urgency=low
* QA upload.
* Add updated Czech Translation (Closes: #389208)
drupal (4.5.8-4) unstable; urgency=low
* QA upload.
* Check for debconf to be available in postrm (Closes: #388604)
drupal (4.5.8-3) unstable; urgency=low
* QA upload.
* Translations:
+ update Swedish by Daniel Nylander. (Closes: #350126)
* Fix permissions on cron.sh. (Closes: #378068), other scripts
and pictures.
* Update Standards-Version to 3.7.2.
* Make lintian happy:
+ use "opened" prompts.
-- Ubuntu Archive Auto-Sync <email address hidden> Tue, 07 Nov 2006 01:25:02 +0000
-
drupal (4.5.8-2) unstable; urgency=high
* QA Upload for orphaned package.
High urgency for security fix.
* CVE-2006-4002: drupal XSS vulnerability (Closes: #382087).
Apply upstream patch.
* Setting maintainer to Debian QA Group.
* Move debhelper to Build-Depends since used in clean target.
* Acknowledging changes from NMU by Steiner Gunderson, thanks!
-- Martin Pitt <email address hidden> Tue, 15 Aug 2006 19:29:18 +0100
