[Frugalware-security] [ FSA-680 ] drupal6-cck

Miklos Vajna vmiklos at frugalware.org
Tue Aug 10 00:05:29 CEST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frugalware Security Advisory                           FSA-680

Date: 2010-08-10
Package: drupal6-cck
Vulnerable versions: <= 6.x_2.6-1
Unaffected versions: >= 6.x_2.7-1locris1
Related bugreport: http://bugs.frugalware.org/task/4243
CVE: No CVE, see http://drupal.org/node/829566.

Description
===========

Some vulnerabilities have been reported in the Drupal Content Construction Kit, which can be exploited by malicious users to disclose sensitive information.
1) A vulnerability in the CCK "Node Reference" module is caused due to improper validation of access levels, which can be exploited to gain view access to controlled nodes.
2) Another vulnerability in the "Node Reference" module is caused due to improper validation of access levels for a backend URL. This can be exploited to send direct queries to the backend URL and disclose node titles and IDs.

Updated Packages
================

Check if you have drupal6-cck installed:

	# pacman-g2 -Q drupal6-cck

If found, then you should upgrade to the latest version:

	# pacman-g2 -Sy drupal6-cck

Availability
============

The latest revision of this advisory is available at
http://frugalware.org/security/680

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: See http://ftp.frugalware.org/pub/README.GPG for info

iEYEARECAAYFAkxge6kACgkQZ7NElSD1Vhkr6ACdGKRJ6Ueh7r/stj9LzF/bnqzY
WnEAn35IIkqv+20E4pJeaxMW2GE/CyEL
=vtln
-----END PGP SIGNATURE-----


More information about the Frugalware-security mailing list