Debian DSA-2828-1 : drupal6 - several vulnerabilities

medium Nessus Plugin ID 71764

Synopsis

The remote Debian host is missing a security-related update.

Description

Multiple vulnerabilities have been discovered in Drupal, a fully-featured content management framework: vulnerabilities due to optimistic cross-site request forgery protection, insecure pseudo random number generation, code execution and incorrect security token validation.

In order to avoid the remote code execution vulnerability, it is recommended to create a .htaccess file (or an equivalent configuration directive in case you are not using Apache to serve your Drupal sites) in each of your sites' 'files' directories (both public and private, in case you have both configured).

Please refer to the NEWS file provided with this update and the upstream advisory at drupal.org/SA-CORE-2013-003 for further information.

Solution

Upgrade the drupal6 packages.

For the oldstable distribution (squeeze), these problems have been fixed in version 6.29-1.

See Also

http://www.nessus.org/u?9a366273

https://packages.debian.org/source/squeeze/drupal6

https://www.debian.org/security/2013/dsa-2828

Plugin Details

Severity: Medium

ID: 71764

File Name: debian_DSA-2828.nasl

Version: 1.9

Type: local

Agent: unix

Published: 12/30/2013

Updated: 1/11/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:6.0, p-cpe:/a:debian:debian_linux:drupal6

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 12/28/2013

Reference Information

CVE: CVE-2013-6385, CVE-2013-6386

BID: 63837, 63840

DSA: 2828