[Secure-testing-team] DRUPAL-SA-2007-031 - SQL injection in certain contributed modules
Nico Golde
debian-secure-testing+ml at ngolde.de
Sat Dec 8 13:42:27 UTC 2007
Hi Luigi,
* Luigi Gangitano <luigi at debian.org> [2007-12-08 00:17]:
> a new vulnerability has been reported today in drupal. SQL injection
> is possible when some contributed modules uses
> taxonomy_select_nodes(). Default installation of drupal in debian is
> not vulnerable, since no contributed module is installed by default.
>
> This vulnerability has been fixed in drupal5_5.5-1 and
> drupal_4.7.10-1, now in sid and in testing as soon as the one day
> delay is over. There is no drupal in etch.
Thank you for the information. I do not yet see any CVE id
for this issue. Did anyone request one so far?
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20071208/195c7478/attachment.pgp
More information about the Secure-testing-team
mailing list