ports/133550: [vuxml] [patch] www/drupal6-cck: update to 2.2 and document XSS issue
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Thu Apr 9 23:00:21 UTC 2009
>Number: 133550
>Category: ports
>Synopsis: [vuxml] [patch] www/drupal6-cck: update to 2.2 and document XSS issue
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Thu Apr 09 23:00:20 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Eygene Ryabinkin
>Release: FreeBSD 7.2-PRERELEASE amd64
>Organization:
Code Labs
>Environment:
System: FreeBSD 7.2-PRERELEASE amd64
>Description:
XSS vulnerability was found in Drupal's 6.x CCK < 2.2 [1]
>How-To-Repeat:
[1] http://www.securityfocus.com/bid/34172
>Fix:
The following patch updates the port:
--- update-2.1-to-2.2.diff begins here ---
>From 8f661d307d5030a76c277280b7c5cd7a2e43f637 Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
Date: Fri, 10 Apr 2009 02:45:08 +0400
Signed-off-by: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
---
www/drupal6-cck/Makefile | 9 +++++----
www/drupal6-cck/distinfo | 6 +++---
2 files changed, 8 insertions(+), 7 deletions(-)
diff --git a/www/drupal6-cck/Makefile b/www/drupal6-cck/Makefile
index dc00434..7de2ee7 100644
--- a/www/drupal6-cck/Makefile
+++ b/www/drupal6-cck/Makefile
@@ -6,7 +6,7 @@
#
PORTNAME= cck
-DISTVERSION= 6.x-2.1
+DISTVERSION= 6.x-2.2
CATEGORIES= www
MASTER_SITES= http://ftp.drupal.org/files/projects/
@@ -14,7 +14,7 @@ MAINTAINER= rea-fbsd at codelabs.ru
COMMENT= Drupal 6 Content Construction Kit module
DRUPAL6_MODULE= yes
-MODULE_DIRS= help examples \
+MODULE_DIRS= help \
includes/views/handlers includes/views includes \
modules/content_copy/translations modules/content_copy \
modules/content_multigroup/translations \
@@ -107,12 +107,13 @@ MODULE_FILES= help/add-existing-field.html \
modules/fieldgroup/translations/modules-fieldgroup.fr.po \
modules/fieldgroup/translations/modules-fieldgroup.hu.po \
modules/fieldgroup/translations/modules-fieldgroup.pot \
+ modules/fieldgroup/fieldgroup-rtl.css \
+ modules/fieldgroup/fieldgroup-simple.tpl.php \
modules/fieldgroup/fieldgroup.css \
modules/fieldgroup/fieldgroup.info \
modules/fieldgroup/fieldgroup.install \
modules/fieldgroup/fieldgroup.module \
modules/fieldgroup/fieldgroup.panels.inc \
- modules/fieldgroup/fieldgroup.tpl.php \
modules/nodereference/help/nodereference.help.ini \
modules/nodereference/help/nodereference.html \
modules/nodereference/nodereference.info \
@@ -164,6 +165,7 @@ MODULE_FILES= help/add-existing-field.html \
theme/content-admin-display-overview-form.tpl.php \
theme/content-admin-field-overview-form.tpl.php \
theme/content-field.tpl.php \
+ theme/content-module-rtl.css \
theme/content-module.css \
theme/theme.inc \
translations/help/de/add-existing-field.html \
@@ -191,7 +193,6 @@ MODULE_FILES= help/add-existing-field.html \
translations/examples.fr.po \
translations/general.de.po \
translations/general.fr.po \
- translations/general.hu.po \
translations/general.pot \
translations/hu.po \
translations/includes-views-handlers.de.po \
diff --git a/www/drupal6-cck/distinfo b/www/drupal6-cck/distinfo
index 0e99a22..ffce5f8 100644
--- a/www/drupal6-cck/distinfo
+++ b/www/drupal6-cck/distinfo
@@ -1,3 +1,3 @@
-MD5 (drupal/cck-6.x-2.1.tar.gz) = 6036acde1dbc0bad62681de5f94bc912
-SHA256 (drupal/cck-6.x-2.1.tar.gz) = 4267118d4aa89210a0a8f06454504a715aac518390313d203fc0eec13db3d0a4
-SIZE (drupal/cck-6.x-2.1.tar.gz) = 318865
+MD5 (drupal/cck-6.x-2.2.tar.gz) = 0fe5f8e6d1292fcfe98530a3dea0a1a1
+SHA256 (drupal/cck-6.x-2.2.tar.gz) = c271a716da1c81ccb8a31228233bf9f567983e368df22fcc06a51cfaf37cda63
+SIZE (drupal/cck-6.x-2.2.tar.gz) = 357660
--
1.6.1.3
--- update-2.1-to-2.2.diff ends here ---
The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
<vuln vid="4992df2b-2557-11de-8dc5-001b77d09812">
<topic>drupal6-cck -- cross-site scripting</topic>
<affects>
<package>
<name>drupal6-cck</name>
<range><lt>2.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Drupal CCK plugin developer reports:</p>
<blockquote
cite="http://drupal.org/node/406520">
<p>The Node reference and User reference sub-modules, which
are part of the Content Construction Kit (CCK) project, lets
administrators define node fields that are references to other
nodes or to users. When displaying a node edit form, the
titles of candidate referenced nodes or names of candidate
referenced users are not properly filtered, allowing malicious
users to inject arbitrary code on those pages. Such a cross
site scripting (XSS) attack may lead to a malicious user
gaining full administrative access.</p>
</blockquote>
</body>
</description>
<references>
<bid>34172</bid>
<url>http://drupal.org/node/406520</url>
</references>
<dates>
<discovery>2009-03-23</discovery>
<entry>TODAY</entry>
</dates>
</vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list