Tags:

Drupal 4.6.9 and Drupal 4.7.3 are available for download. These are maintenance releases that fix problems reported using the bug tracking system, as well as one security vulnerability.

Upgrading your existing Drupal sites is strongly recommended.

---------------------------------------------------------------------------- Drupal security advisory DRUPAL-SA-2006-011 ---------------------------------------------------------------------------- Advisory ID: DRUPAL-SA-2006-011 Project: Drupal core Date: 2006-Aug-02 Security risk: less critical Impact: Drupal 4.6, Drupal 4.7 Where: from remote Vulnerability: cross-site scripting ----------------------------------------------------------------------------

Description -----------

A malicious user can execute a cross site scripting attack by enticing someone to visit a Drupal site via a specially crafted link.

Versions affected ----------------- - Drupal 4.6.x versions before Drupal 4.6.9 - Drupal 4.7.x versions before Drupal 4.7.3

Solution -------- If you are running Drupal 4.6.x then upgrade to Drupal 4.6.9 (http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.9.tar.gz). If you are running Drupal 4.7.x then upgrade to Drupal 4.7.3 (http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.3.tar.gz).

To patch Drupal 4.6.8 use http://drupal.org/files/sa-2006-011/4.6.8.patch. To patch Drupal 4.7.2 use http://drupal.org/files/sa-2006-011/4.7.2.patch.

Reported By ----------- Ayman Hourieh

Note about Drupal 4.7.3 and custom themes or JavaScript -------------------------------------------------------

A bug in the form API theme layer made it possible to have an ID occur more than once in a page. This invalidates the HTML, makes styling with CSS hard or impossible, and can break JavaScript. A patch was committed to ensure unique IDs. This patch has a side-effect that IDs for hidden form fields in your site's HTML will change. You might need to adapt your custom CSS or JavaScript, if it refers to such a changed ID.

Contact ------- The security contact for Drupal can be reached at security@drupal.org or using the form at http://drupal.org/contact. More information is available from http://drupal.org/security or from our security RSS feed http://drupal.org/security/rss.xml.

Get latest news from Blognone