[SECURITY] Fedora 11 Update: drupal-date-6.x.2.4-0.fc11
updates at fedoraproject.org
updates at fedoraproject.org
Sat Sep 19 00:11:04 UTC 2009
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2009-9736
2009-09-18 23:22:13
--------------------------------------------------------------------------------
Name : drupal-date
Product : Fedora 11
Version : 6.x.2.4
Release : 0.fc11
URL : http://drupal.org/project/date
Summary : This package contains both the Date module and a Date API module
Description :
The Date API is available to be used by other modules and is not dependent
on having CCK installed. The date module is a flexible date/time field
type for the cck content module which requires the CCK content.module and
the Date API module.
--------------------------------------------------------------------------------
Update Information:
* Advisory ID: DRUPAL-SA-CONTRIB-2009-057 ( http://drupal.org/node/579144 )
* Project: Date (third-party module) * Version: 5.x, 6.x * Date:
2009-September-16 * Security risk: Moderately critical * Exploitable from:
Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION
--------------------------------------------------------- The Date module
provides a date CCK field that can be added to any content type. The Date
module does not properly escape user data correctly in some cases when setting
the page title. A malicious user with permission to post date content could
attempt a cross site scripting [1] (XSS) attack when creating or editing
content, leading to the user gaining full administrative access. --------
VERSIONS AFFECTED --------------------------------------------------- * Date
for Drupal 6.x prior to 6.x-2.4 * Date for Drupal 6.x prior to 5.x-2.8
Drupal core is not affected. If you do not use the contributed Date module,
there is nothing you need to do. -------- SOLUTION
------------------------------------------------------------ Upgrade to the
latest version: * If you use Date for Drupal 6.x upgrade to Date 6.x-2.4 [2]
* If you use Date for Drupal 5.x upgrade to Date 5.x-2.8 [3] See also the
Date project page [4]. -------- REPORTED BY
--------------------------------------------------------- The Acquia, Inc.
support team -------- FIXED BY
------------------------------------------------------------ Karen Stevenson
[5], the project maintainer. -------- CONTACT
------------------------------------------------------------- The security
contact for Drupal can be reached at security at drupal.org or via the form at
http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-
site_scripting [2] http://drupal.org/node/579000 [3]
http://drupal.org/node/578998 [4] http://drupal.org/project/date [5]
http://drupal.org/user/45874
--------------------------------------------------------------------------------
ChangeLog:
* Wed Sep 16 2009 Jon Ciesla <limb at jcomserv.net> - 6.x.2.4-0
- Update to new version.
- Fix for DRUPAL-SA-CONTRIB-2009-057.
* Wed Jul 29 2009 Jon Ciesla <limb at jcomserv.net> - 6.x.2.3-0
- Update to new version.
- Fix for DRUPAL-SA-CONTRIB-2009-046.
* Fri Jul 24 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 6.x.2.0-2.rc4.2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update drupal-date' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
--------------------------------------------------------------------------------
More information about the Fedora-package-announce
mailing list