CVE-2010-3686
Published: 29 September 2010
The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not ensuring that fields are signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.
Priority
Status
Package | Release | Status |
---|---|---|
drupal5 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
hardy |
Released
(5.7-1ubuntu1.3)
|
|
jaunty |
Ignored
(end of life)
|
|
karmic |
Released
(5.18-1.1ubuntu2.2)
|
|
lucid |
Does not exist
|
|
maverick |
Does not exist
|
|
natty |
Does not exist
|
|
upstream |
Released
(5.23)
|
|
Patches: debdiff: https://bugs.launchpad.net/ubuntu/+source/drupal6/+bug/539056 |
||
drupal6 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
hardy |
Does not exist
|
|
jaunty |
Ignored
(end of life)
|
|
karmic |
Ignored
(end of life)
|
|
lucid |
Released
(6.16-1ubuntu0.1)
|
|
maverick |
Not vulnerable
(6.18-1ubuntu1)
|
|
natty |
Not vulnerable
|
|
upstream |
Released
(6.18-1)
|
|
Patches: debdiff: https://bugs.launchpad.net/ubuntu/karmic/+source/drupal5/+bug/539056 |