Reporting a REVOKED update status of 6.x-2.7?
seaneffel - November 4, 2009 - 20:51
| Project: | Link |
| Version: | 6.x-2.7 |
| Component: | Code |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | closed |
Jump to:
Description
I upgraded to the security release for Link as recommended by the security email, when I moved from 2.6 to 2.7 I got some module status of "revoked". Either I am having this problem all by myself or you are about to get flooded with support requests when ever the 30,000 Link module users get word. Here are the details:
I just got a security release for Link that reads:
* Advisory ID: DRUPAL-SA-CONTRIB-2009-096
* Project: Link (third-party module)
* Version: 5.x, 6.x
* Date: 2009-November-4
* Security risk: Moderately Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Link module provides a CCK field which enables links to be added to
content types, that can include a URL, title, and target attribute. When
using the "Separate title and URL" formatter supplied by the module, the link
title field is not sanitized before being displayed, leading to a Cross Site
Scripting (XSS [1]) vulnerability.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Link module for Drupal 6.x prior to Link 6.x-2.7 [2]
* Link module for Drupal 5.x prior to Link 5.x-2.6 [3]
Drupal core is not affected. If you do not use the contributed Link module
[4], there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Upgrade to the latest version:
* If you use Link module for Drupal 6.x upgrade to version 6.x-2.7 [5]
* If you use Link module for Drupal 5.x upgrade to version 5.x-2.6 [6]And then when I did the update my module status reads:
Release revoked: Your currently installed release has been revoked, and is no longer available for download. Disabling everything included in this release or upgrading is strongly recommended!
#1
Changed the title, didn't mean to sound testy...
#2
According to davereid on #drupal, "They need to clear their update.module cache." Could you give that a try and let me know if it clears up the problem?
#3
This is an issue when release nodes are manually published as is required by the security team's release process. More details are at http://drupal.org/node/548886
It should be fixed soon
#4
RE #2: This is not the case. Caches properly flushed, no change in status.
RE #3: That's the ticket. I'll lurk until there is more.
#5
http://updates.drupal.org/release-history/link/6.x This is fixed now