Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 243414

Summary: www-apps/drupal <5.12 <6.6 Multiple vulnerabilities (CVE-2008-{6171,6176})
Product: Gentoo Security Reporter: Steen Eugen "Miravlix" Poulsen <sep>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://drupal.org/node/324824
Whiteboard: ~1? [noglsa]
Package list:
Runtime testing required: ---

Description Steen Eugen "Miravlix" Poulsen 2008-10-23 16:02:22 UTC 
SA-2008-068 - LOCALIZATION CLIENT AND LOCALIZATION SERVER - CROSS
SA-2008-067 - DRUPAL CORE - MULTIPLE VULNERABILITIES

These CMS systems get a constant stream of security errors, maybe drupal (and perhaps others as I find it odd plone returns zero glsa hits too, but I'm not on plones security mailing list.) shouldn't be in the portage tree if no one is willing to maintain security updates of them.


Reproducible: Always
Comment 1 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-23 16:08:21 UTC 
GLSA's are only published for packages which had a vulnerable version marked as stable (except kernel-source packages). This isn't the case for drupal, therefore no GLSA's for drupal. That doesn't mean though, that noone's maintaing drupal or bump/patch packages if a vulnerability has been found.

You might want to take a look at Gentoo's Vulnerability Treatment Policy which can be found at http://www.gentoo.org/security/en/vulnerability-policy.xml.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-10-23 18:01:43 UTC 
Let's use this bug for Drupal SA-2008-067 then.
Comment 3 Peter Volkov (RETIRED) gentoo-dev 2008-10-24 06:33:41 UTC 
Thank you for report, Steen. I've already bumped drupal yesterday. So it's already in the tree.
Comment 4 Steen Eugen "Miravlix" Poulsen 2008-10-24 07:16:21 UTC 
(In reply to comment #3)
> Thank you for report, Steen. I've already bumped drupal yesterday. So it's
> already in the tree.
> 

That great, but why is drupal security not worthy of security glsa's? (Thats after all what lead me to believe it wasn't being security maintained in the first place)
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-10-24 08:47:14 UTC 
As Tobias pointed out in comment 1, unstable (~arch) packages do not get GLSAs. The reason for this is not only the scarcity of our resources, but also that our testing packages are not recommended for usage in a security-relevant environment.

Peter: Thanks for the hint, I forgot to "cvs up".
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2009-02-23 21:26:18 UTC 
CVE-2008-6171 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6171):
  Drupal 5.x before 5.12 and 6.x before 6.6, when the server is
  configured for "IP-based virtual hosts," allows remote attackers to
  include and execute arbitrary files via unspecified vectors.

CVE-2008-6176 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6176):
  bootstrap.inc in Drupal 5.x before 5.12 and 6.x before 6.6, when the
  server is configured for "IP-based virtual hosts," allows remote
  attackers to include and execute arbitrary local files via
  unspecified vectors.