Drupal upstream released new upstream versions 6.5 and 5.11 fixing multiple security issues described in upstream advisory SA-2008-060: http://drupal.org/node/318706 Issues reported: - File upload access bypass (unprivileged file attach, 6.x) - File upload access bypass (file disclosure, 5.x) - Access rules bypass - BlogAPI access bypass - Node validation bypass (5.x) Upstream patches against previous versions: http://drupal.org/files/sa-2008-060/SA-2008-060-5.10.patch http://drupal.org/files/sa-2008-060/SA-2008-060-6.4.patch
drupal-6.5-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
drupal-5.11-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
*** Bug 468423 has been marked as a duplicate of this bug. ***
CVEs assigned to these issue: CVE-2008-4789: The validation functionality in the core upload module in Drupal 6.x before 6.5 allows remote authenticated users to bypass intended access restrictions and "attach files to content," related to a "logic error." CVE-2008-4790: The core upload module in Drupal 5.x before 5.11 allows remote authenticated users to bypass intended access restrictions and read "files attached to content" via unknown vectors. CVE-2008-4791: The user module in Drupal 5.x before 5.11 and 6.x before 6.5 might allow remote authenticated users to bypass intended login access rules and successfully login via unknown vectors. CVE-2008-4792: The core BlogAPI module in Drupal 5.x before 5.11 and 6.x before 6.5 does not properly validate unspecified content fields of an internal Drupal form, which allows remote authenticated users to bypass intended access restrictions via modified field values. CVE-2008-4793: The node module API in Drupal 5.x before 5.11 allows remote attackers to bypass node validation and have unspecified other impact via unknown vectors related to contributed modules.
New upstream drupal versions 5.11 / 6.5 were pushed to F8 and F9 stable via: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-8905 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-8852