SA-2008-068 - LOCALIZATION CLIENT AND LOCALIZATION SERVER - CROSS SA-2008-067 - DRUPAL CORE - MULTIPLE VULNERABILITIES These CMS systems get a constant stream of security errors, maybe drupal (and perhaps others as I find it odd plone returns zero glsa hits too, but I'm not on plones security mailing list.) shouldn't be in the portage tree if no one is willing to maintain security updates of them. Reproducible: Always
GLSA's are only published for packages which had a vulnerable version marked as stable (except kernel-source packages). This isn't the case for drupal, therefore no GLSA's for drupal. That doesn't mean though, that noone's maintaing drupal or bump/patch packages if a vulnerability has been found. You might want to take a look at Gentoo's Vulnerability Treatment Policy which can be found at http://www.gentoo.org/security/en/vulnerability-policy.xml.
Let's use this bug for Drupal SA-2008-067 then.
Thank you for report, Steen. I've already bumped drupal yesterday. So it's already in the tree.
(In reply to comment #3) > Thank you for report, Steen. I've already bumped drupal yesterday. So it's > already in the tree. > That great, but why is drupal security not worthy of security glsa's? (Thats after all what lead me to believe it wasn't being security maintained in the first place)
As Tobias pointed out in comment 1, unstable (~arch) packages do not get GLSAs. The reason for this is not only the scarcity of our resources, but also that our testing packages are not recommended for usage in a security-relevant environment. Peter: Thanks for the hint, I forgot to "cvs up".
CVE-2008-6171 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6171): Drupal 5.x before 5.12 and 6.x before 6.6, when the server is configured for "IP-based virtual hosts," allows remote attackers to include and execute arbitrary files via unspecified vectors. CVE-2008-6176 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6176): bootstrap.inc in Drupal 5.x before 5.12 and 6.x before 6.6, when the server is configured for "IP-based virtual hosts," allows remote attackers to include and execute arbitrary local files via unspecified vectors.