Bug 466741

Summary: drupal: multiple drupal issues in < 6.5,5.11 (SA-2008-060 - CVE-2008-4789, CVE-2008-4790, CVE-2008-4791, CVE-2008-4792, CVE-2008-4793)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: gwync, jlieskov
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-10-30 08:31:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2008-10-13 11:21:33 UTC 
Drupal upstream released new upstream versions 6.5 and 5.11 fixing multiple
security issues described in upstream advisory SA-2008-060:

  http://drupal.org/node/318706

Issues reported:
- File upload access bypass (unprivileged file attach, 6.x)
- File upload access bypass (file disclosure, 5.x)
- Access rules bypass
- BlogAPI access bypass
- Node validation bypass (5.x)

Upstream patches against previous versions:
http://drupal.org/files/sa-2008-060/SA-2008-060-5.10.patch
http://drupal.org/files/sa-2008-060/SA-2008-060-6.4.patch
Comment 1 Fedora Update System 2008-10-16 02:09:18 UTC 
drupal-6.5-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 2 Fedora Update System 2008-10-16 02:13:33 UTC 
drupal-5.11-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 3 Jan Lieskovsky 2008-10-24 17:53:05 UTC 
*** Bug 468423 has been marked as a duplicate of this bug. ***
Comment 4 Tomas Hoger 2008-10-30 08:30:16 UTC 
CVEs assigned to these issue:

CVE-2008-4789:
The validation functionality in the core upload module in Drupal 6.x
before 6.5 allows remote authenticated users to bypass intended access
restrictions and "attach files to content," related to a "logic
error."

CVE-2008-4790:
The core upload module in Drupal 5.x before 5.11 allows remote
authenticated users to bypass intended access restrictions and read
"files attached to content" via unknown vectors.

CVE-2008-4791:
The user module in Drupal 5.x before 5.11 and 6.x before 6.5 might
allow remote authenticated users to bypass intended login access rules
and successfully login via unknown vectors.

CVE-2008-4792:
The core BlogAPI module in Drupal 5.x before 5.11 and 6.x before 6.5
does not properly validate unspecified content fields of an internal
Drupal form, which allows remote authenticated users to bypass
intended access restrictions via modified field values.

CVE-2008-4793:
The node module API in Drupal 5.x before 5.11 allows remote attackers
to bypass node validation and have unspecified other impact via
unknown vectors related to contributed modules.
Comment 5 Tomas Hoger 2008-10-30 08:31:26 UTC 
New upstream drupal versions 5.11 / 6.5 were pushed to F8 and F9 stable via:
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-8905
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-8852