Drupal upstream has released Drupal 5.12/6.6 to resolve two security issues. References: http://drupal.org/node/324824 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503222
Summary of the issues: - local file inclusion (config file for IP-based virtual hosts) (5.x, 6.x) - XSS in the title of book pages (6.x only)
drupal-5.12-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
drupal-6.6-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-6176 to the following vulnerability: bootstrap.inc in Drupal 5.x before 5.12 and 6.x before 6.6, when the server is configured for "IP-based virtual hosts," allows remote attackers to include and execute arbitrary local files via unspecified vectors. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6176 http://drupal.org/node/324824 http://www.securityfocus.com/bid/31900
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-6170 to the following vulnerability: Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.12 and 6.x before 6.6, allows remote authenticated users with create book content or edit node book hierarchy permissions to inject arbitrary web script or HTML via the book page title. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6170 http://drupal.org/node/324824 http://www.securityfocus.com/bid/31882 http://secunia.com/advisories/32297
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-6171 to the following vulnerability: Drupal 5.x before 5.12 and 6.x before 6.6, when the server is configured for "IP-based virtual hosts," allows remote attackers to include and execute arbitrary files via unspecified vectors. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6171 http://drupal.org/node/324824 http://www.securityfocus.com/bid/31882
Why is this still open?
Very good question. At first I thought it was because EPEL had a vulnerable version, but it looks like it has 5.15 which is not vulnerable. Closing.