Security support for CMSes
 

On Sun, Oct 07, 2012 at 09:02:23AM -0400, Wolf Halton wrote:
> I am sorry to hear your site was cracked. I run Drupal on Debian as well.
> The fundamental flaw here is the lag time between drupal update and
> packaging on debian. I run drupal 7 for new sites. Installs are not the
> simplest things in the world, but it comes in handy in an ongoing fashion
> to have done the work. That way you are sure of your database user and pass
> as well as exact location of files.
> As an engineer, you reasonably want to make the process as simple as
> possible but no simpler. Packages with public web interfaces like drupal
> take more care and feeding than any other kind of package I can think of.
> It is not a Debian issue. Any Linux packager would have a hard time keeping
> up with a community-maintained monster like drupal. Even if you are running
> Sid, not suggested for production environment, there is too much lag to
> trust package maintainers to do the updates for you.
>
If this is true, then I have to wonder what is the point of having a
Debian package for Drupal at all. I always figured that there was a
benefit in using a Debian-packaged version of software like Drupal,
MediaWiki, Wordpress, etc. because I wouldn't have to do manual updates
in order to get security fixes.

-Rob


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20121007135725.GA23129@aurora.owens.net">http://lists.debian.org/20121007135725.GA23129@aurora.owens.net

Security support for CMSes
 

Hi,

Am 07.10.2012 12:19, schrieb Peter Viskup:
> Hello everybody,
> I am using Drupal6 from Debian repositories as I thought that Debian is
> taking care of the security fixes and therefore I do not have to take
> care too much.
> Unfortunately one of my sites was cracked and there were none of
> security fixes released in June 2012 by Drupal community backported to
> main release till today. The only 'fixed' version of Drupal6 is
> available on backports.debian.org.
> Do you use Debian versions of CMSes?
> Are you continuously checking the main releases and checking the states
> of Debian packages?
> What are your proposals for running any CMS available in Debian
> repositories?
> Does somebody have similar experience from the past or with another CMS
> from Debian repositories?

you should address the issue to the maintainer luigi@debian.org,
and the security team [1] (security@debian.org or
team@security.debian.org), which I put in CC.

Looking at

http://security-tracker.debian.org/tracker/status/release/stable

there are 2 issues which are not fixed in the current stable version of
drupal6. Perhaps the maintainer and/or the security team overlooked them.

[1] http://www.debian.org/security/faq#contact

Robert
> Thank you.
>
> Best regards,
> --
> Peter Viskup
>
>



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 50718B62.1030606@gmx.de">http://lists.debian.org/50718B62.1030606@gmx.de

Security support for CMSes
 

Wolf Halton

http://sourcefreedom.com

Apache developer:

wolfhalton@apache.org

On Oct 7, 2012 10:01 AM, "Robert Pommrich" <LeProvokateur@gmx.de> wrote:

>

> Hi,

>

> Am 07.10.2012 12:19, schrieb Peter Viskup:

> > Hello everybody,

> > I am using Drupal6 from Debian repositories as I thought that Debian is

> > taking care of the security fixes and therefore I do not have to take

> > care too much.

> > Unfortunately one of my sites was cracked and there were none of

> > security fixes released in June 2012 by Drupal community backported to

> > main release till today. The only 'fixed' version of Drupal6 is

> > available on backports.debian.org.

> > Do you use Debian versions of CMSes?

> > Are you continuously checking the main releases and checking the states

> > of Debian packages?

> > What are your proposals for running any CMS available in Debian

> > repositories?

> > Does somebody have similar experience from the past or with another CMS

> > from Debian repositories?

>

> you should address the issue to the maintainer luigi@debian.org,

> and the security team [1] (security@debian.org or

> team@security.debian.org), which I put in CC.

>

> Looking at

>

> http://security-tracker.debian.org/tracker/status/release/stable

>

> there are 2 issues which are not fixed in the current stable version of

> drupal6. Perhaps the maintainer and/or the security team overlooked them.

>

> [1] http://www.debian.org/security/faq#contact

>

> Robert

> > Thank you.

> >

> > Best regards,

> > --

> > Peter Viskup

> >

> >

>

The reason to have a drupal package or any other community or multiverse package is most likely that somebody had the inclination to do the packaging. Whether it be a good plan to use it is up to the individual user.



Wolf


PS I know it is hard to be objective when ones own site has neen cracked.* Computer security is not a state; it is a process.* The more third-parties involved in ones security, the easier it is to delegate security to them. I get email updates from my drupal sites with module and core updates. I use drush to update all and the whole process takes less than 10 minutes.


One could automate this with a cron job, but I like to know which modules are neing updated.


>

> --

> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org

> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

> Archive: http://lists.debian.org/50718B62.1030606@gmx.de

>

Security support for CMSes
 

2012-10-07 17:38, Wolf Halton skrev:

The reason to have a drupal package or any other community or multiverse
package is most likely that somebody had the inclination to do the
packaging. Whether it be a good plan to use it is up to the individual user.



I typically think of it as a downside of ubuntu installations that their
security support policy separates their large repository into a small
main section with security support, and a large universe section which
does not promise any security support.


I always thought debian was "better" in the sense that there was
security support for all of debian main, which is much larger than
ubuntu main.


Is that belief misguided?

[I am aware that this is a community distribution, that everyone has too
little spare time to solve my problems, etc. This is in no way a
complaint, I enjoy debian a lot. This is merely a question.]


(I do not use drupal myself anymore, but both mediawiki and gallery, as
well as webservers without CMSs)


Regards

Johan


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: http://lists.debian.org/k4s8j6$cif$1@ger.gmane.org

Security support for CMSes
 

Hi,
* Robert Pommrich <LeProvokateur@gmx.de> [2012-10-07 16:01]:
> Am 07.10.2012 12:19, schrieb Peter Viskup:
> > Hello everybody,
> > I am using Drupal6 from Debian repositories as I thought that Debian is
> > taking care of the security fixes and therefore I do not have to take
> > care too much.
> > Unfortunately one of my sites was cracked and there were none of
> > security fixes released in June 2012 by Drupal community backported to
> > main release till today. The only 'fixed' version of Drupal6 is
> > available on backports.debian.org.
> > Do you use Debian versions of CMSes?
> > Are you continuously checking the main releases and checking the states
> > of Debian packages?
> > What are your proposals for running any CMS available in Debian
> > repositories?
> > Does somebody have similar experience from the past or with another CMS
> > from Debian repositories?
>
> you should address the issue to the maintainer luigi@debian.org,
> and the security team [1] (security@debian.org or
> team@security.debian.org), which I put in CC.
>
> Looking at
>
> http://security-tracker.debian.org/tracker/status/release/stable
>
> there are 2 issues which are not fixed in the current stable version of
> drupal6. Perhaps the maintainer and/or the security team overlooked them.

Providing security updates for packages in Debian is still based on voluntary
work. Therefore it can happen sometimes that either a security fix is
overlooked or no person has committed to provide/release an updated package.
The latter probably applies in this case.

Can you further specify what exactly you mean by cracked? This would be
interesting as even though two CVE ids are marked as unfixed in stable, none
of the issues qualifies for example to execute code on a remote drupal
installation.

Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA

Security support for CMSes
 

Wolf Halton

http://sourcefreedom.com

Apache developer:

wolfhalton@apache.org

On Oct 7, 2012 11:54 AM, "Johan Grönqvist" <johan.gronqvist@gmail.com> wrote:

>

> 2012-10-07 17:38, Wolf Halton skrev:

>

>> The reason to have a drupal package or any other community or multiverse

>> package is most likely that somebody had the inclination to do the

>> packaging. Whether it be a good plan to use it is up to the individual user.

>

>

>

> I typically think of it as a downside of ubuntu installations that their security support policy separates their large repository into a small main section with security support, and a large universe section which does not promise any security support.


>

> I always thought debian was "better" in the sense that there was security support for all of debian main, which is much larger than ubuntu main.

>

> Is that belief misguided?

>

Debian has main, contrib and non-free categories. I don't think drupal is in main. Could easily be wrong about that.


-Wolf


> [I am aware that this is a community distribution, that everyone has too little spare time to solve my problems, etc. This is in no way a complaint, I enjoy debian a lot. This is merely a question.]

>

> (I do not use drupal myself anymore, but both mediawiki and gallery, as well as webservers without CMSs)

>

> Regards

>

> Johan

>

>

>

> --

> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


> Archive: http://lists.debian.org/k4s8j6$cif$1@ger.gmane.org

>

Security support for CMSes
 

On Mon, Oct 8, 2012 at 12:18 AM, Peter Viskup <skupko.sk@gmail.com> wrote:







Overlooked it was not sent to debian-user list.
…Â*
I do not know what security issue was used to crack my site - they used
some Drupal weakness to create some php files in Drupal install dir
remotely and without getting SFTP access.
I had a look on the state of the drupal6 package just after and noticed
there are some critical bugfixes not backported to stable branch.
That's all at the very moment.In my experience, this correlation is good enough to reasonably assume causation.
When a website is compromised, and the software running the website has known vulnerabilities, there is rarely any need to look further. Such attacks are usually automated or semi-automated.

You can reduce the problems somewhat by using ModSecurity, and disallowing a bunch of PHP functions (eval, system, etc.) that many components/extensions/modules/plugins/themes seem to find useful.

This is not always practical, for instance when you use a third party webhost which does not offer these options, or when you do not have the know-how to configure these right.

I suspect that for software like Drupal, using a secondary package manager such as Portage may actually be better for the sysadmin.--
Jan