[SECURITY] Fedora 11 Update: drupal-date-6.x.2.4-0.fc11

updates at fedoraproject.org updates at fedoraproject.org
Sat Sep 19 00:11:04 UTC 2009


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2009-9736
2009-09-18 23:22:13
--------------------------------------------------------------------------------

Name        : drupal-date
Product     : Fedora 11
Version     : 6.x.2.4
Release     : 0.fc11
URL         : http://drupal.org/project/date
Summary     : This package contains both the Date module and a Date API module
Description :
The Date API is available to be used by other modules and is not dependent
on having CCK installed.  The date module is a flexible date/time field
type for the cck content module which requires the CCK content.module and
the Date API module.

--------------------------------------------------------------------------------
Update Information:

 * Advisory ID: DRUPAL-SA-CONTRIB-2009-057     ( http://drupal.org/node/579144 )
* Project: Date (third-party module)   * Version: 5.x, 6.x   * Date:
2009-September-16   * Security risk: Moderately critical   * Exploitable from:
Remote   * Vulnerability: Cross Site Scripting    -------- DESCRIPTION
---------------------------------------------------------    The Date module
provides a date CCK field that can be added to any content  type. The Date
module does not properly escape user data correctly in some  cases when setting
the page title. A malicious user with permission to post  date content could
attempt a cross site scripting [1] (XSS) attack when  creating or editing
content, leading to the user gaining full administrative  access.  --------
VERSIONS AFFECTED ---------------------------------------------------     * Date
for Drupal 6.x prior to 6.x-2.4   * Date for Drupal 6.x prior to 5.x-2.8
Drupal core is not affected. If you do not use the contributed Date module,
there is nothing you need to do.  -------- SOLUTION
------------------------------------------------------------    Upgrade to the
latest version:   * If you use Date for Drupal 6.x upgrade to Date 6.x-2.4 [2]
* If you use Date for Drupal 5.x upgrade to Date 5.x-2.8 [3]    See also the
Date project page [4].  -------- REPORTED BY
---------------------------------------------------------    The Acquia, Inc.
support team  -------- FIXED BY
------------------------------------------------------------    Karen Stevenson
[5], the project maintainer.  -------- CONTACT
-------------------------------------------------------------    The security
contact for Drupal can be reached at security at drupal.org or  via the form at
http://drupal.org/contact.    [1] http://en.wikipedia.org/wiki/Cross-
site_scripting  [2] http://drupal.org/node/579000  [3]
http://drupal.org/node/578998  [4] http://drupal.org/project/date  [5]
http://drupal.org/user/45874
--------------------------------------------------------------------------------
ChangeLog:

* Wed Sep 16 2009 Jon Ciesla <limb at jcomserv.net> - 6.x.2.4-0
- Update to new version.
- Fix for DRUPAL-SA-CONTRIB-2009-057.
* Wed Jul 29 2009 Jon Ciesla <limb at jcomserv.net> - 6.x.2.3-0
- Update to new version.
- Fix for DRUPAL-SA-CONTRIB-2009-046.
* Fri Jul 24 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 6.x.2.0-2.rc4.2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update drupal-date' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
--------------------------------------------------------------------------------




More information about the Fedora-package-announce mailing list