XSS vulnerability was found in Drupal's 6.x CCK < 2.2 [1] Fix: The following patch updates the port: The following VuXML entry should be evaluated and added: <vuln vid="4992df2b-2557-11de-8dc5-001b77d09812"> <topic>drupal6-cck -- cross-site scripting</topic> <affects> <package> <name>drupal6-cck</name> <range><lt>2.2</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Drupal CCK plugin developer reports:</p> <blockquote cite="http://drupal.org/node/406520"> <p>The Node reference and User reference sub-modules, which are part of the Content Construction Kit (CCK) project, lets administrators define node fields that are references to other nodes or to users. When displaying a node edit form, the titles of candidate referenced nodes or names of candidate referenced users are not properly filtered, allowing malicious users to inject arbitrary code on those pages. Such a cross site scripting (XSS) attack may lead to a malicious user gaining full administrative access.</p> </blockquote> </body> </description> <references> <bid>34172</bid> <url>http://drupal.org/node/406520</url> </references> <dates> <discovery>2009-03-23</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here -----5DvBRXcTMZWT5AAEMZrQ8gfkGBbVpjBnuTyHwpi2QfSpC3kI Content-Type: text/plain; name="update-2.1-to-2.2.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="update-2.1-to-2.2.diff" From 8f661d307d5030a76c277280b7c5cd7a2e43f637 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Fri, 10 Apr 2009 02:45:08 +0400 Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- www/drupal6-cck/Makefile | 9 +++++---- www/drupal6-cck/distinfo | 6 +++--- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/www/drupal6-cck/Makefile b/www/drupal6-cck/Makefile index dc00434..7de2ee7 100644 --- a/www/drupal6-cck/Makefile +++ b/www/drupal6-cck/Makefile @@ -6,7 +6,7 @@ # PORTNAME= cck -DISTVERSION= 6.x-2.1 +DISTVERSION= 6.x-2.2 CATEGORIES= www MASTER_SITES= http://ftp.drupal.org/files/projects/ @@ -14,7 +14,7 @@ MAINTAINER= rea-fbsd@codelabs.ru COMMENT= Drupal 6 Content Construction Kit module DRUPAL6_MODULE= yes -MODULE_DIRS= help examples \ +MODULE_DIRS= help \ includes/views/handlers includes/views includes \ modules/content_copy/translations modules/content_copy \ modules/content_multigroup/translations \ @@ -107,12 +107,13 @@ MODULE_FILES= help/add-existing-field.html \ modules/fieldgroup/translations/modules-fieldgroup.fr.po \ modules/fieldgroup/translations/modules-fieldgroup.hu.po \ modules/fieldgroup/translations/modules-fieldgroup.pot \ + modules/fieldgroup/fieldgroup-rtl.css \ + modules/fieldgroup/fieldgroup-simple.tpl.php \ modules/fieldgroup/fieldgroup.css \ modules/fieldgroup/fieldgroup.info \ modules/fieldgroup/fieldgroup.install \ modules/fieldgroup/fieldgroup.module \ modules/fieldgroup/fieldgroup.panels.inc \ - modules/fieldgroup/fieldgroup.tpl.php \ modules/nodereference/help/nodereference.help.ini \ modules/nodereference/help/nodereference.html \ modules/nodereference/nodereference.info \ @@ -164,6 +165,7 @@ MODULE_FILES= help/add-existing-field.html \ theme/content-admin-display-overview-form.tpl.php \ theme/content-admin-field-overview-form.tpl.php \ theme/content-field.tpl.php \ + theme/content-module-rtl.css \ theme/content-module.css \ theme/theme.inc \ translations/help/de/add-existing-field.html \ @@ -191,7 +193,6 @@ MODULE_FILES= help/add-existing-field.html \ translations/examples.fr.po \ translations/general.de.po \ translations/general.fr.po \ - translations/general.hu.po \ translations/general.pot \ translations/hu.po \ translations/includes-views-handlers.de.po \ diff --git a/www/drupal6-cck/distinfo b/www/drupal6-cck/distinfo index 0e99a22..ffce5f8 100644 --- a/www/drupal6-cck/distinfo +++ b/www/drupal6-cck/distinfo @@ -1,3 +1,3 @@ -MD5 (drupal/cck-6.x-2.1.tar.gz) = 6036acde1dbc0bad62681de5f94bc912 -SHA256 (drupal/cck-6.x-2.1.tar.gz) = 4267118d4aa89210a0a8f06454504a715aac518390313d203fc0eec13db3d0a4 -SIZE (drupal/cck-6.x-2.1.tar.gz) = 318865 +MD5 (drupal/cck-6.x-2.2.tar.gz) = 0fe5f8e6d1292fcfe98530a3dea0a1a1 +SHA256 (drupal/cck-6.x-2.2.tar.gz) = c271a716da1c81ccb8a31228233bf9f567983e368df22fcc06a51cfaf37cda63 +SIZE (drupal/cck-6.x-2.2.tar.gz) = 357660 -- 1.6.1.3 How-To-Repeat: [1] http://www.securityfocus.com/bid/34172
Responsible Changed From-To: freebsd-ports-bugs->miwi miwi@ wants his PRs (via the GNATS Auto Assign Tool)
Forgot to say that Tom Uffner, tom@uffner.com, should be credited for pointing me to this update and fixed XSS issue. -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ #
miwi 2009-04-11 12:01:18 UTC FreeBSD ports repository Modified files: security/vuxml vuln.xml Log: - Document drupal6-cck -- cross-site scripting PR: 133550 Submitted by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Revision Changes Path 1.1909 +35 -1 ports/security/vuxml/vuln.xml _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed Committed. Thanks!
miwi 2009-04-11 18:06:44 UTC FreeBSD ports repository Modified files: www/drupal6-cck Makefile distinfo Log: - Update to 2.2 PR: 133550 Submitted by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> (maintainer) Security: http://www.vuxml.org/freebsd/03d22656-2690-11de-8226-0030843d3802.html Revision Changes Path 1.3 +5 -4 ports/www/drupal6-cck/Makefile 1.3 +3 -3 ports/www/drupal6-cck/distinfo _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"