Date: Fri, 10 Apr 2009 02:53:08 +0400 (MSD) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/133550: [vuxml] [patch] www/drupal6-cck: update to 2.2 and document XSS issue Message-ID: <20090409225308.CE7F41710D@amnesiac.at.no.dns> Resent-Message-ID: <200904092300.n39N0KEv004904@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 133550 >Category: ports >Synopsis: [vuxml] [patch] www/drupal6-cck: update to 2.2 and document XSS issue >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Thu Apr 09 23:00:20 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.2-PRERELEASE amd64 >Organization: Code Labs >Environment: System: FreeBSD 7.2-PRERELEASE amd64 >Description: XSS vulnerability was found in Drupal's 6.x CCK < 2.2 [1] >How-To-Repeat: [1] http://www.securityfocus.com/bid/34172 >Fix: The following patch updates the port: --- update-2.1-to-2.2.diff begins here --- >From 8f661d307d5030a76c277280b7c5cd7a2e43f637 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Fri, 10 Apr 2009 02:45:08 +0400 Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- www/drupal6-cck/Makefile | 9 +++++---- www/drupal6-cck/distinfo | 6 +++--- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/www/drupal6-cck/Makefile b/www/drupal6-cck/Makefile index dc00434..7de2ee7 100644 --- a/www/drupal6-cck/Makefile +++ b/www/drupal6-cck/Makefile @@ -6,7 +6,7 @@ # PORTNAME= cck -DISTVERSION= 6.x-2.1 +DISTVERSION= 6.x-2.2 CATEGORIES= www MASTER_SITES= http://ftp.drupal.org/files/projects/ @@ -14,7 +14,7 @@ MAINTAINER= rea-fbsd@codelabs.ru COMMENT= Drupal 6 Content Construction Kit module DRUPAL6_MODULE= yes -MODULE_DIRS= help examples \ +MODULE_DIRS= help \ includes/views/handlers includes/views includes \ modules/content_copy/translations modules/content_copy \ modules/content_multigroup/translations \ @@ -107,12 +107,13 @@ MODULE_FILES= help/add-existing-field.html \ modules/fieldgroup/translations/modules-fieldgroup.fr.po \ modules/fieldgroup/translations/modules-fieldgroup.hu.po \ modules/fieldgroup/translations/modules-fieldgroup.pot \ + modules/fieldgroup/fieldgroup-rtl.css \ + modules/fieldgroup/fieldgroup-simple.tpl.php \ modules/fieldgroup/fieldgroup.css \ modules/fieldgroup/fieldgroup.info \ modules/fieldgroup/fieldgroup.install \ modules/fieldgroup/fieldgroup.module \ modules/fieldgroup/fieldgroup.panels.inc \ - modules/fieldgroup/fieldgroup.tpl.php \ modules/nodereference/help/nodereference.help.ini \ modules/nodereference/help/nodereference.html \ modules/nodereference/nodereference.info \ @@ -164,6 +165,7 @@ MODULE_FILES= help/add-existing-field.html \ theme/content-admin-display-overview-form.tpl.php \ theme/content-admin-field-overview-form.tpl.php \ theme/content-field.tpl.php \ + theme/content-module-rtl.css \ theme/content-module.css \ theme/theme.inc \ translations/help/de/add-existing-field.html \ @@ -191,7 +193,6 @@ MODULE_FILES= help/add-existing-field.html \ translations/examples.fr.po \ translations/general.de.po \ translations/general.fr.po \ - translations/general.hu.po \ translations/general.pot \ translations/hu.po \ translations/includes-views-handlers.de.po \ diff --git a/www/drupal6-cck/distinfo b/www/drupal6-cck/distinfo index 0e99a22..ffce5f8 100644 --- a/www/drupal6-cck/distinfo +++ b/www/drupal6-cck/distinfo @@ -1,3 +1,3 @@ -MD5 (drupal/cck-6.x-2.1.tar.gz) = 6036acde1dbc0bad62681de5f94bc912 -SHA256 (drupal/cck-6.x-2.1.tar.gz) = 4267118d4aa89210a0a8f06454504a715aac518390313d203fc0eec13db3d0a4 -SIZE (drupal/cck-6.x-2.1.tar.gz) = 318865 +MD5 (drupal/cck-6.x-2.2.tar.gz) = 0fe5f8e6d1292fcfe98530a3dea0a1a1 +SHA256 (drupal/cck-6.x-2.2.tar.gz) = c271a716da1c81ccb8a31228233bf9f567983e368df22fcc06a51cfaf37cda63 +SIZE (drupal/cck-6.x-2.2.tar.gz) = 357660 -- 1.6.1.3 --- update-2.1-to-2.2.diff ends here --- The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- <vuln vid="4992df2b-2557-11de-8dc5-001b77d09812"> <topic>drupal6-cck -- cross-site scripting</topic> <affects> <package> <name>drupal6-cck</name> <range><lt>2.2</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>Drupal CCK plugin developer reports:</p> <blockquote cite="http://drupal.org/node/406520">; <p>The Node reference and User reference sub-modules, which are part of the Content Construction Kit (CCK) project, lets administrators define node fields that are references to other nodes or to users. When displaying a node edit form, the titles of candidate referenced nodes or names of candidate referenced users are not properly filtered, allowing malicious users to inject arbitrary code on those pages. Such a cross site scripting (XSS) attack may lead to a malicious user gaining full administrative access.</p> </blockquote> </body> </description> <references> <bid>34172</bid> <url>http://drupal.org/node/406520</url>; </references> <dates> <discovery>2009-03-23</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090409225308.CE7F41710D>