diff options
| author | brooks <brooks@FreeBSD.org> | 2007-01-06 05:32:19 +0800 |
|---|---|---|
| committer | brooks <brooks@FreeBSD.org> | 2007-01-06 05:32:19 +0800 |
| commit | 07f8fdcf4a87c7fbb969a913c0f76e8f440324c9 (patch) | |
| tree | 331387ebb5f420eeff8e6d78f12f094f6305f861 /security | |
| parent | d63909dedfa7ef12b0de3c13709b4592b6c6e365 (diff) | |
| download | freebsd-ports-gnome-07f8fdcf4a87c7fbb969a913c0f76e8f440324c9.tar.gz freebsd-ports-gnome-07f8fdcf4a87c7fbb969a913c0f76e8f440324c9.tar.zst freebsd-ports-gnome-07f8fdcf4a87c7fbb969a913c0f76e8f440324c9.zip | |
Upgrade drupal to 4.7.5 fixing a couple security issues.
Upgrade drupal-pubcookie and drupal-textile to the 4.7 versions.
Submitted by: Nick Hilliard <nick at foobar dot org> (upgrade to 4.7.4)
Security: vid:3d8d3548-9d02-11db-a541-000ae42e9b93
Diffstat (limited to 'security')
| -rw-r--r-- | security/vuxml/vuln.xml | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index c669b6b6aa71..80d226ba2c9a 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -34,6 +34,47 @@ Note: Please add new entries to the beginning of this file. --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="3d8d3548-9d02-11db-a541-000ae42e9b93"> + <topic>drupal -- multiple vulnerabilities</topic> + <affects> + <package> + <name>drupal</name> + <range><gt>4.7</gt><lt>4.7.5</lt></range> + <range><lt>4.6.11</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>The Drupal security team reports:</p> + <blockquote cite="http://drupal.org/files/sa-2007-001/advisory.txt"> + <p>A few arguments passed via URLs are not properly sanitized + before display. When an attacker is able to entice an + administrator to follow a specially crafted link, arbitrary + HTML and script code can be injected and executed in the + victim's session. Such an attack may lead to administrator + access if certain conditions are met.</p> + </blockquote> + <blockquote cite="http://drupal.org/files/sa-2007-002/advisory.txt"> + <p>The way page caching was implemented allows a denial of + service attack. An attacker has to have the ability to post + content on the site. He or she would then be able to poison + the page cache, so that it returns cached 404 page not found + errors for existing pages.</p> + <p>If the page cache is not enabled, your site is not vulnerable. + The vulnerability only affects sites running on top of MySQL.</p> + </blockquote> + </body> + </description> + <references> + <url>http://drupal.org/files/sa-2007-001/advisory.txt</url> + <url>http://drupal.org/files/sa-2007-002/advisory.txt</url> + </references> + <dates> + <discovery>2007-01-05</discovery> + <entry>2007-01-05</entry> + </dates> + </vuln> + <vuln vid="9347d82d-9a66-11db-b271-000e35248ad7"> <topic>w3m -- format string vulnerability</topic> <affects> |