Fix critical security issues in drupal packages

Bug #431080 reported by Scott Testerman
324
This bug affects 4 people
Affects Status Importance Assigned to Milestone
drupal5 (Debian)
Fix Released
Unknown
drupal5 (Ubuntu)
Fix Released
Undecided
Unassigned
Hardy
Fix Released
Undecided
Unassigned
Intrepid
Fix Released
Undecided
Unassigned
Jaunty
Fix Released
Undecided
Unassigned
Karmic
Fix Released
Undecided
Unassigned
drupal6 (Debian)
Fix Released
Unknown
drupal6 (Ubuntu)
Fix Released
Undecided
Unassigned
Hardy
Invalid
Undecided
Unassigned
Intrepid
Invalid
Undecided
Unassigned
Jaunty
Fix Released
Undecided
Unassigned
Karmic
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: drupal5

Full details about the security issue addressed by this bugfix are available at http://drupal.org/node/579482 . The release announcement can be found at http://drupal.org/drupal-6.14 .

The vulnerability is:
* Attacker can fix and reuse a victim's session ID.

Tags: patch
visibility: private → public
Revision history for this message
Scott Testerman (scott-testerman) wrote :

Diff attached for Hardy

description: updated
Revision history for this message
Scott Testerman (scott-testerman) wrote :

Diff attached for Intrepid

Revision history for this message
Scott Testerman (scott-testerman) wrote :

Diff attached for Jaunty

Revision history for this message
Scott Testerman (scott-testerman) wrote :

Diff attached for Karmic

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and taking the time to report a bug. This package is in universe and is community supported. I see that you have attached patches to update the Ubuntu packages to the new upstream version. While this work is appreciated, we cannot publish your patches because this does not follow Ubuntu's policy of backporting security patches. If you are able, perhaps you could prepare debdiffs to fix this by following https://wiki.ubuntu.com/SecurityUpdateProcedures.

Changed in drupal5 (Ubuntu Hardy):
status: New → Confirmed
Changed in drupal5 (Ubuntu Intrepid):
status: New → Confirmed
Changed in drupal5 (Ubuntu Jaunty):
status: New → Confirmed
Changed in drupal5 (Ubuntu Karmic):
status: New → Confirmed
Revision history for this message
Scott Testerman (scott-testerman) wrote :

Drupal5 debdiffs dutifully done.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for the debdiffs Scott! What testing was performed for each of these? Please see https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Testing for details.

Changed in drupal5 (Ubuntu Hardy):
status: Confirmed → In Progress
Changed in drupal5 (Ubuntu Intrepid):
status: Confirmed → In Progress
Changed in drupal5 (Ubuntu Jaunty):
status: Confirmed → In Progress
Changed in drupal5 (Ubuntu Karmic):
status: Confirmed → In Progress
Changed in drupal5 (Debian):
status: Unknown → New
Revision history for this message
Kees Cook (kees) wrote :

Hi again Scott. :) As mentioned int he Drupal 6.x bug, we only use minimal-change patches. Please see item 2 in the Security Update wiki: https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Patch

Thanks!

Changed in drupal5 (Ubuntu Hardy):
status: In Progress → Incomplete
Changed in drupal5 (Ubuntu Intrepid):
status: In Progress → Incomplete
Changed in drupal5 (Ubuntu Karmic):
status: In Progress → Incomplete
Changed in drupal5 (Ubuntu Jaunty):
status: In Progress → Incomplete
Revision history for this message
Artur Rona (ari-tczew) wrote :

 drupal5 (5.20-1) unstable; urgency=low

   * New upstream release (Closes: #543940)

   * debian/changelog
     - Bumped Standard-Version to 3.8.3 (no change needed)

 -- Luigi Gangitano <email address hidden> Sun, 20 Sep 2009 01:35:45 +0200

Changed in drupal5 (Debian):
importance: Unknown → Undecided
status: New → Fix Released
Artur Rona (ari-tczew)
Changed in drupal5 (Ubuntu Karmic):
assignee: nobody → Artur Rona (ari-tczew)
Artur Rona (ari-tczew)
Changed in drupal5 (Ubuntu Karmic):
status: Incomplete → In Progress
Revision history for this message
Artur Rona (ari-tczew) wrote :

I'm removing all old attachments, because these aren't usefully (no upstream release, just patch include).

Changed in drupal5 (Ubuntu Jaunty):
assignee: nobody → Artur Rona (ari-tczew)
status: Incomplete → In Progress
Revision history for this message
Artur Rona (ari-tczew) wrote :
Artur Rona (ari-tczew)
summary: - Drupal 5.20 released to fix critical security vulnerability
+ Fix critical security vulnerability (SA-CORE-2009-008)
Changed in drupal6 (Ubuntu Karmic):
assignee: nobody → Artur Rona (ari-tczew)
status: New → In Progress
Changed in drupal6 (Ubuntu Jaunty):
assignee: nobody → Artur Rona (ari-tczew)
status: New → In Progress
description: updated
Artur Rona (ari-tczew)
tags: added: patch
Revision history for this message
Bhavani Shankar (bhavi) wrote : Re: Fix critical security vulnerability (SA-CORE-2009-008)

Hello artur,

Please use patch tagging guidelines as described in

https://wiki.ubuntu.com/UbuntuDevelopment/PatchTaggingGuidelines

Thanks

Revision history for this message
Artur Rona (ari-tczew) wrote :

Added info in patch about:
* Ubuntu
* Upstream
* Patch
I believe that it satisfy you bhavi.

Changed in drupal5 (Ubuntu Karmic):
assignee: Artur Rona (ari-tczew) → nobody
status: In Progress → New
Kees Cook (kees)
Changed in drupal5 (Ubuntu Jaunty):
status: In Progress → Triaged
Changed in drupal6 (Ubuntu Jaunty):
status: In Progress → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package drupal5 - 5.18-1.1ubuntu2

---------------
drupal5 (5.18-1.1ubuntu2) karmic; urgency=low

  * debian/patches/21_SA-CORE-2009-008.dpatch:
    - Fixed security issues (session fixation),
      see SA-CORE-2009-008 (LP: #431080).
  * debian/README.source: Added for silence lintian's warning.

 -- Artur Rona <email address hidden> Wed, 07 Oct 2009 17:32:47 +0200

Changed in drupal5 (Ubuntu Karmic):
status: New → Fix Released
Changed in drupal6 (Debian):
status: Unknown → Fix Released
Revision history for this message
Artur Rona (ari-tczew) wrote :
Artur Rona (ari-tczew)
Changed in drupal6 (Ubuntu Hardy):
status: New → Invalid
Changed in drupal6 (Ubuntu Intrepid):
status: New → Invalid
Changed in drupal6 (Ubuntu Karmic):
assignee: Artur Rona (ari-tczew) → nobody
status: In Progress → New
Artur Rona (ari-tczew)
Changed in drupal5 (Debian):
importance: Undecided → Unknown
status: Fix Released → Unknown
Changed in drupal5 (Debian):
status: Unknown → Fix Released
Revision history for this message
Michael Terry (mterry) wrote :

I would sponsor and push this in (thanks for the work Artur), but we're past FinalFreeze. Will subscribe motu-release for an exception.

Revision history for this message
Scott Kitterman (kitterman) wrote : Re: [Bug 431080] Re: Fix critical security vulnerability (SA-CORE-2009-008)

Universe is not past final freeze. Go ahead.

...... Original Message .......
On Thu, 15 Oct 2009 18:50:40 -0000 Michael Terry
<email address hidden> wrote:
>I would sponsor and push this in (thanks for the work Artur), but we're
>past FinalFreeze. Will subscribe motu-release for an exception.
>
>--
>Fix critical security vulnerability (SA-CORE-2009-008)
>https://bugs.launchpad.net/bugs/431080
>You received this bug notification because you are a member of MOTU
>Release Team, which is a direct subscriber.
>
>Status in
drupal5
 package in Ubuntu: Fix Released
>Status in
drupal6
 package in Ubuntu: New
>Status in drupal5 in Ubuntu Hardy: Incomplete
>Status in drupal6 in Ubuntu Hardy: Invalid
>Status in drupal5 in Ubuntu Intrepid: Incomplete
>Status in drupal6 in Ubuntu Intrepid: Invalid
>Status in drupal5 in Ubuntu Jaunty: Triaged
>Status in drupal6 in Ubuntu Jaunty: Triaged
>Status in drupal5 in Ubuntu Karmic: Fix Released
>Status in drupal6 in Ubuntu Karmic: New
>Status in
drupal5
 package in Debian: Fix Released
>Status in
drupal6
 package in Debian: Fix Released
>
>Bug description:
>Binary package hint: drupal5
>
>Full details about the security issue addressed by this bugfix are available at
http://drupal.org/node/579482 . The release announcement can be found at
http://drupal.org/drupal-6.14 .
>
>The vulnerability is:
>* Attacker can fix and reuse a victim's session ID.
>

Michael Terry (mterry)
Changed in drupal6 (Ubuntu Karmic):
status: New → Fix Committed
Revision history for this message
Michael Terry (mterry) wrote : Re: Fix critical security vulnerability (SA-CORE-2009-008)

I uploaded this, so it's in the queue awaiting approval.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package drupal6 - 6.12-1.1ubuntu1

---------------
drupal6 (6.12-1.1ubuntu1) karmic; urgency=high

  * debian/patches/21_SA-CORE-2009-008.dpatch:
    - Fixed security issues (session fixation),
      see SA-CORE-2009-008 (LP: #431080).
  * debian/README.source: Added for silence lintian's warning.

 -- Artur Rona <email address hidden> Sat, 10 Oct 2009 18:42:02 +0200

Changed in drupal6 (Ubuntu Karmic):
status: Fix Committed → Fix Released
Artur Rona (ari-tczew)
Changed in drupal5 (Ubuntu Jaunty):
status: Triaged → In Progress
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I don't see a debdiff attached for Jaunty. Why has Jaunty been marked "In Progress"?

I'm setting back to Triaged. Please set to "In Progress" once someone has attached a Jaunty debdiff.

Revision history for this message
Artur Rona (ari-tczew) wrote :

"In Progress" assigned to me says that I'm making a debdiff. I think that should made a debdiff today. Don't panic.

Revision history for this message
Artur Rona (ari-tczew) wrote :
Changed in drupal5 (Ubuntu Jaunty):
assignee: Artur Rona (ari-tczew) → nobody
status: In Progress → New
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for the debdiff Artur.

Unfortunately, you forgot to add the patches to debian/patches/00list, so they didn't actually get applied during your test build. If I add them to 00list, they fail to apply properly.

Could you please re-submit a fixed debdiff.

Thanks!

Revision history for this message
Artur Rona (ari-tczew) wrote :

OOops, epic fail :P
deleting old debdiff, preparing refreshed debdiff...

Changed in drupal5 (Ubuntu Jaunty):
assignee: nobody → Artur Rona (ari-tczew)
status: New → In Progress
Revision history for this message
Artur Rona (ari-tczew) wrote :
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for the new debdiff! The package is currently building and will be released soon.

Artur Rona (ari-tczew)
Changed in drupal5 (Ubuntu Jaunty):
assignee: Artur Rona (ari-tczew) → nobody
status: In Progress → New
Artur Rona (ari-tczew)
Changed in drupal6 (Ubuntu Jaunty):
status: Triaged → In Progress
Revision history for this message
Artur Rona (ari-tczew) wrote :

Debdiff for jaunty drupal6. It built fine on my-ppa.
https://launchpad.net/~ari-tczew/+archive/drupal/+build/1308115/+files/buildlog_ubuntu-jaunty-i386.drupal6_6.10-1ubuntu0.1~ppa1_FULLYBUILT.txt.gz

Added patch for enable RewriteBase /drupal6 (LP: #371187)
It would be nice if someone will open task on bug #371187 for jaunty and karmic.

Revision history for this message
Artur Rona (ari-tczew) wrote :

Sponsors: your turn.

Changed in drupal6 (Ubuntu Jaunty):
assignee: Artur Rona (ari-tczew) → nobody
status: In Progress → New
Revision history for this message
Artur Rona (ari-tczew) wrote :

Debdiffs for hardy and intrepid I'll later, because now I'm very busy. At first please upload debdiffs for:
- drupal5 (jaunty)
- drupal6 (jaunty)
- drupal6 (karmic) (LP: #371187)

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I cannot publish the debdiff for jaunty drupal6 as it contains a fix to an issue that is not security related.

The patch for LP: #371187 needs to go though the SRU process:
https://wiki.ubuntu.com/StableReleaseUpdates

Revision history for this message
Artur Rona (ari-tczew) wrote :

Incompatible debdiff has been removed. I've attached debdiff without htaccess patch. If you'll upload this, I can create a new debdiff just for bug #371187

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for the debdiff. Packages are currently building, and will be released Monday.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

For some reason, I can't change the status on this bug.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package drupal6 - 6.10-1ubuntu0.1

---------------
drupal6 (6.10-1ubuntu0.1) jaunty-security; urgency=low

  * debian/patches/18_SA-CORE-2009-005.dpatch:
    - Fix cross site scripting, see SA-CORE-2009-005
    - CVE-2009-1576
  * debian/patches/19_SA-CORE-2009-006.dpatch:
    - Fix cross site scripting, see SA-CORE-2009-006
  * debian/patches/20_SA-CORE-2009-007.dpatch:
    - Fix possible password leakage via URLs.
    - CVE-2009-2372
    - CVE-2009-2373
    - CVE-2009-2374
  * debian/patches/21_SA-CORE-2009-008.dpatch:
    - Fix security issues (session fixation),
      see SA-CORE-2009-008 (LP: #431080)

 -- Artur Rona <email address hidden> Sun, 25 Oct 2009 16:19:12 +0100

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package drupal5 - 5.15-1ubuntu1.1

---------------
drupal5 (5.15-1ubuntu1.1) jaunty-security; urgency=low

  * debian/patches/18_SA-CORE-2009-005.dpatch:
    - Fix cross site scripting, see SA-CORE-2009-005
    - CVE-2009-1576
  * debian/patches/19_SA-CORE-2009-006.dpatch:
    - Fix cross site scripting, see SA-CORE-2009-006
  * debian/patches/20_SA-CORE-2009-007.dpatch:
    - Fix possible password leakage via URLs.
    - CVE-2009-2372
    - CVE-2009-2373
    - CVE-2009-2374
  * debian/patches/21_SA-CORE-2009-008.dpatch:
    - Fix security issues (session fixation),
      see SA-CORE-2009-008 (LP: #431080)

 -- Artur Rona <email address hidden> Sat, 24 Oct 2009 23:32:18 +0200

Changed in drupal5 (Ubuntu Jaunty):
status: New → Fix Released
Changed in drupal6 (Ubuntu Jaunty):
status: New → Fix Released
Artur Rona (ari-tczew)
Changed in drupal5 (Ubuntu Hardy):
assignee: nobody → Artur Rona (ari-tczew)
Changed in drupal5 (Ubuntu Intrepid):
assignee: nobody → Artur Rona (ari-tczew)
Artur Rona (ari-tczew)
summary: - Fix critical security vulnerability (SA-CORE-2009-008)
+ Fix critical security issues in drupal packages
Artur Rona (ari-tczew)
Changed in drupal5 (Ubuntu Intrepid):
status: Incomplete → In Progress
Revision history for this message
Artur Rona (ari-tczew) wrote :

patches for intrepid

Revision history for this message
Artur Rona (ari-tczew) wrote :

Sponsors, go ahead.

Changed in drupal5 (Ubuntu Intrepid):
assignee: Artur Rona (ari-tczew) → nobody
status: In Progress → New
Artur Rona (ari-tczew)
Changed in drupal5 (Ubuntu Intrepid):
assignee: nobody → Artur Rona (ari-tczew)
status: New → In Progress
Changed in drupal5 (Ubuntu Hardy):
status: Incomplete → In Progress
Revision history for this message
Benjamin Drung (bdrung) wrote :

There are no patches any more. Therefore I unsubscribe ubuntu-universe-sponsors for now. Please resubscribe us when there is something to sponsor.

Artur Rona (ari-tczew)
Changed in drupal5 (Ubuntu Intrepid):
status: In Progress → New
assignee: Artur Rona (ari-tczew) → nobody
Artur Rona (ari-tczew)
Changed in drupal5 (Ubuntu Intrepid):
status: New → Confirmed
Revision history for this message
Kees Cook (kees) wrote :

This is building in the security queue now. Thanks!

Changed in drupal5 (Ubuntu Intrepid):
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package drupal5 - 5.10-1ubuntu1.1

---------------
drupal5 (5.10-1ubuntu1.1) intrepid-security; urgency=low

  * SECURITY UPDATE: Multiple vulnerabilities and weaknesses
    were discovered in Drupal. (LP: #431080):
    - 14_SA-2008-060
    - 15_SA-2008-067
    - 16_SA-2008-073
    - 17_SA-CORE-2009-001
    - 18_SA-CORE-2009-005
    - 19_SA-CORE-2009-006
    - 20_SA-CORE-2009-007
    - 21_SA-CORE-2009-008
    - 22_SA-CORE-2009-009

  * Fixes:
    - CVE-2008-6171
    - CVE-2008-6532
    - CVE-2008-6533
    - CVE-2009-1576
    - CVE-2009-2372
    - CVE-2009-2373
    - CVE-2009-2374
 -- Artur Rona <email address hidden> Tue, 22 Dec 2009 01:00:27 +0100

Changed in drupal5 (Ubuntu Intrepid):
status: Fix Committed → Fix Released
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

There is no debdiff for Hardy yet. As such, I am removing ubuntu-security-sponsors. Please resubscribe ubuntu-security-sponsors once a debdiff for Hardy has been submitted.

Thanks.

Revision history for this message
Artur Rona (ari-tczew) wrote :
Changed in drupal5 (Ubuntu Hardy):
assignee: Artur Rona (ari-tczew) → nobody
status: In Progress → Confirmed
Revision history for this message
Martin Pitt (pitti) wrote :

(Unsubscribing ubuntu-sru, since this is a security update)

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Hardy ACK'd. Packages are being built now. Thanks!

Changed in drupal5 (Ubuntu Hardy):
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package drupal5 - 5.7-1ubuntu1.2

---------------
drupal5 (5.7-1ubuntu1.2) hardy-security; urgency=low

  * SECURITY UPDATE: Multiple vulnerabilities and weaknesses
    were discovered in Drupal. (LP: #431080):
    - 13_SA-2008-047
    - 14_SA-2008-060
    - 15_SA-2008-067
    - 16_SA-2008-073
    - 17_SA-CORE-2009-001
    - 18_SA-CORE-2009-005
    - 19_SA-CORE-2009-006
    - 20_SA-CORE-2009-007
    - 21_SA-CORE-2009-008
    - 22_SA-CORE-2009-009

  * Fixes:
    - CVE-2008-6171
    - CVE-2008-6532
    - CVE-2008-6533
    - CVE-2009-1576
    - CVE-2009-2372
    - CVE-2009-2373
    - CVE-2009-2374
    - CVE-2009-4370
 -- Artur Rona <email address hidden> Sun, 31 Jan 2010 14:40:34 +0100

Changed in drupal5 (Ubuntu Hardy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.