| Description: | Several vulnerabilities have been found in drupal6, a fully-featured content management framework. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-2372 Gerhard Killesreiter discovered a flaw in the way user signatures are handled. It is possible for a user to inject arbitrary code via a crafted user signature. CVE-2009-2373 Mark Piper, Sven Herrmann and Brandon Knight discovered a cross-site scripting issue in the forum module, which could be exploited via the tid parameter. CVE-2009-2374 Sumit Datta discovered that certain drupal6 pages leak sensible information such as user credentials. Several design flaws in the OpenID module have been fixed, which could lead to cross-site request forgeries or privilege escalations. Also, the file upload function does not process all extensions properly leading to the possible execution of arbitrary code. For the stable distribution, these problems have been fixed in version 6.6-3lenny3. The oldstable distribution does not contain drupal6. For the testing distribution and the unstable distribution, these problems have been fixed in version 6.14-1. We recommend that you upgrade your drupal6 packages. |