A security flaw was found in the way the OpeID functionality in Drupal, the content management system, performed verification if the attributes passed through OpenID Simple Registration (SREG) and OpenID Attribute Exchange (AX) were signed. A remote attacker could use this flaw to modify user's information without the information add-on being noticed (MITM attack). References: [1] http://drupal.org/node/1425084
This issue is scheduled to be corrected in the following drupal6 package updates: 1) drupal6-6.24-1.el6 for Fedora EPEL 6, 2) drupal6-6.24-1.el5 for Fedora EPEL 5, 3) drupal6-6.24-1.fc15 for Fedora 15, 4) drupal6-6.24-1.fc16 for Fedora 16.
This issue is scheduled to be corrected in the following drupal7 package updates: 1) drupal7-7.12-1.el6 for Fedora EPEL 6, 2) drupal7-7.12-1.el5 for Fedora EPEL 5, 3, drupal7-7.12-1.fc16 for Fedora 16, 4) drupal7-7.12-1.fc15 for Fedora 15.
These packages have been released for all Fedora and EPEL branches.