[SECURITY] Fedora 13 Update: drupal-views-6.x.2.11-1.fc13

updates at fedoraproject.org updates at fedoraproject.org
Mon Jun 21 21:44:32 UTC 2010 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2010-10215
2010-06-21 21:03:55
--------------------------------------------------------------------------------

Name        : drupal-views
Product     : Fedora 13
Version     : 6.x.2.11
Release     : 1.fc13
URL         : http://drupal.org/project/views
Summary     : Provides a method for site designers to control content presentation
Description :
The views module provides a flexible method for Drupal site designers
to control how lists of content (nodes) are presented. Traditionally,
Drupal has hard-coded most of this, particularly in how taxonomy and
tracker lists are formatted.

This tool is essentially a smart query builder that, given enough
information, can build the proper query, execute it, and display the
results. It has four modes, plus a special mode, and provides an
impressive amount of functionality from these modes.

--------------------------------------------------------------------------------
Update Information:

  * Advisory ID: DRUPAL-SA-CONTRIB-2010-067 (http://drupal.org/node/829840)    *
Project: Views (third-party module)    * Version: 5.x, 6.x    * Date:
2010-June-16    * Security risk: Less critical    * Exploitable from: Remote
* Vulnerability: Multiple vulnerabilities    -------- DESCRIPTION
---------------------------------------------------------    The Views module
provides a flexible method for Drupal site designers to  control how lists and
tables of content are presented.  -------- CROSS SITE REQUEST FORGERY (CSRF)
-----------------------------------    The Views UI module, which is included
with Views, can be used to  enable/disable Views by following a link to a
particular page (e.g.  admin/build/views/disable/frontpage). As no protections,
such as form tokens,  are in place to prevent forged requests to these pages,
the feature is  vulnerable to a Cross Site Request Forgery (CSRF [1]) that would
allow an  attacker to enable/disable all Views on a site. Mitigating factors: If
Views  UI module is disabled Views will no longer be affected by this
vulnerability.  This issue affects Views for Drupal 5 and Drupal 6.  --------
CROSS SITE SCRIPTING (XSS)    ------------------------------------------
Under certain circumstances, Views could display URLs or aggregator feed  titles
without escaping, resulting in a Cross Site Scripting (XSS [2])  vulnerability.
An attacker could exploit this to gain full administrative  access. This issue
affects Views for Drupal 6 only.  -------- VERSIONS AFFECTED
---------------------------------------------------      * Views module for
Drupal 5.x versions prior to 5.x-1.8    * Views module for Drupal 6.x versions
prior to 6.x-2.11    Drupal core is not affected. If you do not use the
contributed Views [3]  module, there is nothing you need to do.  --------
SOLUTION    ------------------------------------------------------------
Install the latest version:      * If you use the Views module for Drupal 5.x
upgrade to Views 5.x-1.8 [4]    * If you use the Views module for Drupal 6.x
upgrade to Views 6.x-2.11 [5]    See also the Views project page [6].  --------
REPORTED BY    ---------------------------------------------------------      *
The Cross Site Request Forgery (CSRF) vulnerability was reported by Martin
Barbella (mbarbella [7]).    * The Cross Site Scripting (XSS) vulnerabilities
were reported by Earl Miles      (merlinofchaos [8]), module maintainer and
Daniel Wehner (dereine [9]),      module co-maintainer    -------- FIXED BY
------------------------------------------------------------      * Earl Miles
(merlinofchaos [10]), module maintainer    -------- CONTACT
-------------------------------------------------------------    The Drupal
security team [11] can be reached at security at drupal.org or via  the form at
http://drupal.org/contact.    * [1] http://en.wikipedia.org/wiki/Csrf  * [2]
http://en.wikipedia.org/wiki/Cross-site_scripting  * [3]
http://drupal.org/project/views  * [4] http://drupal.org/node/829848  * [5]
http://drupal.org/node/829846  * [6] http://drupal.org/project/views  * [7]
http://drupal.org/user/633600  * [8] http://drupal.org/user/26979  * [9]
http://drupal.org/user/99340  * [10] http://drupal.org/user/26979  * [11]
http://drupal.org/security-team
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jun 18 2010 Jon Ciesla <limb at jcomserv.net> - 6.x.2.11-1
- New upstream, fixes SA-CONTRIB-2010-067.
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update drupal-views' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the package-announce mailing list