DSA-745-1 drupal -- input validation errors

Debian Security Advisory

DSA-745-1 drupal -- input validation errors

Date Reported:

10 Jul 2005

Affected Packages:

drupal

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2005-1921, CVE-2005-2106, CVE-2005-2116.

More information:

Two input validation errors were discovered in drupal and its bundled xmlrpc module. These errors can lead to the execution of arbitrary commands on the web server running drupal.

drupal was not included in the old stable distribution (woody).

For the current stable distribution (sarge), these problems have been fixed in version 4.5.3-3.

For the unstable distribution (sid), these problems have been fixed in version 4.5.4-1.

We recommend that you upgrade your drupal package.

Fixed in:

Debian GNU/Linux 3.1 (sarge)

Source:

http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-3.dsc

http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3.orig.tar.gz

http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-3.diff.gz

Architecture-independent component:

http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-3_all.deb

MD5 checksums of the listed files are available in the original advisory.