243414 – www-apps/drupal <5.12 <6.6 Multiple vulnerabilities (CVE-2008-{6171,6176})

Bug 243414 - www-apps/drupal <5.12 <6.6 Multiple vulnerabilities (CVE-2008-{6171,6176})

Summary: www-apps/drupal <5.12 <6.6 Multiple vulnerabilities (CVE-2008-{6171,6176})

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High trivial (vote)
Assignee:	Gentoo Security

URL:	http://drupal.org/node/324824
Whiteboard:	~1? [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2008-10-23 16:02 UTC by Steen Eugen "Miravlix" Poulsen
Modified:	2009-02-23 21:26 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Steen Eugen "Miravlix" Poulsen 2008-10-23 16:02:22 UTC

SA-2008-068 - LOCALIZATION CLIENT AND LOCALIZATION SERVER - CROSS
SA-2008-067 - DRUPAL CORE - MULTIPLE VULNERABILITIES

These CMS systems get a constant stream of security errors, maybe drupal (and perhaps others as I find it odd plone returns zero glsa hits too, but I'm not on plones security mailing list.) shouldn't be in the portage tree if no one is willing to maintain security updates of them.


Reproducible: Always

Comment 1 Tobias Scherbaum (RETIRED) gentoo-dev

2008-10-23 16:08:21 UTC

GLSA's are only published for packages which had a vulnerable version marked as stable (except kernel-source packages). This isn't the case for drupal, therefore no GLSA's for drupal. That doesn't mean though, that noone's maintaing drupal or bump/patch packages if a vulnerability has been found.

You might want to take a look at Gentoo's Vulnerability Treatment Policy which can be found at http://www.gentoo.org/security/en/vulnerability-policy.xml.

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2008-10-23 18:01:43 UTC

Let's use this bug for Drupal SA-2008-067 then.

Comment 3 Peter Volkov (RETIRED) gentoo-dev

2008-10-24 06:33:41 UTC

Thank you for report, Steen. I've already bumped drupal yesterday. So it's already in the tree.

Comment 4 Steen Eugen "Miravlix" Poulsen 2008-10-24 07:16:21 UTC

(In reply to comment #3)
> Thank you for report, Steen. I've already bumped drupal yesterday. So it's
> already in the tree.
> 

That great, but why is drupal security not worthy of security glsa's? (Thats after all what lead me to believe it wasn't being security maintained in the first place)

Comment 5 Robert Buchholz (RETIRED) gentoo-dev

2008-10-24 08:47:14 UTC

As Tobias pointed out in comment 1, unstable (~arch) packages do not get GLSAs. The reason for this is not only the scarcity of our resources, but also that our testing packages are not recommended for usage in a security-relevant environment.

Peter: Thanks for the hint, I forgot to "cvs up".

Comment 6 Stefan Behte (RETIRED) gentoo-dev

2009-02-23 21:26:18 UTC

CVE-2008-6171 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6171):
  Drupal 5.x before 5.12 and 6.x before 6.6, when the server is
  configured for "IP-based virtual hosts," allows remote attackers to
  include and execute arbitrary files via unspecified vectors.

CVE-2008-6176 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6176):
  bootstrap.inc in Drupal 5.x before 5.12 and 6.x before 6.6, when the
  server is configured for "IP-based virtual hosts," allows remote
  attackers to include and execute arbitrary local files via
  unspecified vectors.