FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 10-07-2012, 06:41 PM
Robert Pommrich
 
Default Fwd: Security support for CMSes

Putting it back to the list where it came from.

-------- Original-Nachricht --------
Betreff: Re: Security support for CMSes
Datum: Sun, 7 Oct 2012 20:25:11 +0200
Von: Nico Golde <nion@debian.org>
An: Robert Pommrich <LeProvokateur@gmx.de>
Kopie (CC): luigi@debian.org, security@debian.org

Hi,
* Robert Pommrich <LeProvokateur@gmx.de> [2012-10-07 16:01]:
> Am 07.10.2012 12:19, schrieb Peter Viskup:
> > Hello everybody,
> > I am using Drupal6 from Debian repositories as I thought that Debian is
> > taking care of the security fixes and therefore I do not have to take
> > care too much.
> > Unfortunately one of my sites was cracked and there were none of
> > security fixes released in June 2012 by Drupal community backported to
> > main release till today. The only 'fixed' version of Drupal6 is
> > available on backports.debian.org.
> > Do you use Debian versions of CMSes?
> > Are you continuously checking the main releases and checking the states
> > of Debian packages?
> > What are your proposals for running any CMS available in Debian
> > repositories?
> > Does somebody have similar experience from the past or with another CMS
> > from Debian repositories?
>
> you should address the issue to the maintainer luigi@debian.org,
> and the security team [1] (security@debian.org or
> team@security.debian.org), which I put in CC.
>
> Looking at
>
> http://security-tracker.debian.org/tracker/status/release/stable
>
> there are 2 issues which are not fixed in the current stable version of
> drupal6. Perhaps the maintainer and/or the security team overlooked them.

Providing security updates for packages in Debian is still based on
voluntary
work. Therefore it can happen sometimes that either a security fix is
overlooked or no person has committed to provide/release an updated package.
The latter probably applies in this case.

Can you further specify what exactly you mean by cracked? This would be
interesting as even though two CVE ids are marked as unfixed in stable,
none
of the issues qualifies for example to execute code on a remote drupal
installation.

Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 5071CCCA.90004@gmx.de">http://lists.debian.org/5071CCCA.90004@gmx.de
 
Old 10-07-2012, 10:18 PM
Peter Viskup
 
Default Fwd: Security support for CMSes

Overlooked it was not sent to debian-user list.



-------- Original Message --------



Subject:
Re: Security support for CMSes


Date:
Mon, 08 Oct 2012 00:07:56 +0200


From:
Peter Viskup <skupko.sk@gmail.com>


To:
Robert Pommrich <LeProvokateur@gmx.de>,
luigi@debian.org, security@debian.org







Hello Nico,

On 10/07/2012 08:25 PM, Nico Golde wrote:
> Hi,
> Providing security updates for packages in Debian is still based on voluntary
> work. Therefore it can happen sometimes that either a security fix is
> overlooked or no person has committed to provide/release an updated package.
> The latter probably applies in this case.

I fully agree on that, understand that and am thankful to everybody
working on Debian project.

> Can you further specify what exactly you mean by cracked? This would be
> interesting as even though two CVE ids are marked as unfixed in stable, none
> of the issues qualifies for example to execute code on a remote drupal
> installation.

I do not know what security issue was used to crack my site - they used
some Drupal weakness to create some php files in Drupal install dir
remotely and without getting SFTP access.
I had a look on the state of the drupal6 package just after and noticed
there are some critical bugfixes not backported to stable branch.
That's all at the very moment.

--
Peter
 
Old 10-08-2012, 07:52 AM
Jon Dowland
 
Default Fwd: Security support for CMSes

On Sun, Oct 07, 2012 at 08:41:14PM +0200, Robert Pommrich wrote:
> Putting it back to the list where it came from.

It was already there. I'm not sure what you've done to your mail
configuration, but list mail is working fine: no need to forward
more copies to it.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20121008075253.GB10625@debian
 

Thread Tools




All times are GMT. The time now is 08:09 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org