Multiple security vulnerabilities for drupal versions <7.52 and <8.2.3, as per drupal advisory: DRUPAL-SA-CORE-2016-005. Reproducible: Always Expected Results: Please bring <www-apps/drupal-{7.52,8.2.3} in the tree. Vulnerabilities listed in are: 1. Inconsistent name for term access query (Less critical - Drupal 7 and Drupal 8) 2. Incorrect cache context on password reset page (Less critical - Drupal 8) 3. Confirmation forms allow external URLs to be injected (Moderately critical - Drupal 7) 4. Denial of service via transliterate mechanism (Moderately critical - Drupal 8)
04:07 < gentoovcs> jmbsvicetto → repo/gentoo (www-apps/drupal/) Add 8.2.3 and 7.52 releases - (DRUPAL-SA-CORE-2016-005) bug 600124. 04:07 < gentoovcs> jmbsvicetto → repo/gentoo (www-apps/drupal/) Drop old and vulnerable versions.
11:20 < gentoovcs> jmbsvicetto → repo/gentoo (www-apps/drupal/) www-apps/drupal: Drop 8.1.10 as it's vulnerable to DRUPAL-SA-CORE-2016-005 - bug 600124. Mask 6.38 as it's no longer supported and will be removed at the end of the year. This drops or masks the remaining versions, so there's no more clean-up to be done.
Dropped by maintainer: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a4d65ab86c0e0478b81e4ce5a0672000bd5b9628 Drupal 6 will stay package.masked in tree until the end of the year with appropriate security warning. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=908cbb45d54f2717cb3edde5c1dc015718f644db
(In reply to Jorge Manuel B. S. Vicetto from comment #2) > This drops or masks the remaining versions, so there's no more clean-up to > be done. I may misunderstand what you've written, so just to confirm: Both Drupal 8.2.3 and Drupal 7.52 are not vulnerable and continue to be supported by the project, so both should stay on the tree. Meanwhile, Drupal 6 has been announced EoL since 24 February 2016 and is of course unsupported. It may be better if drupal was slotted as the architectural differences between different major versions are significant and migration between them is not a trivial exercise. HTH. -- Regards, Mick
(In reply to MickKi from comment #4) > (In reply to Jorge Manuel B. S. Vicetto from comment #2) > > > This drops or masks the remaining versions, so there's no more clean-up to > > be done. > > I may misunderstand what you've written, so just to confirm: > > Both Drupal 8.2.3 and Drupal 7.52 are not vulnerable and continue to be > supported by the project, so both should stay on the tree. Meanwhile, > Drupal 6 has been announced EoL since 24 February 2016 and is of course > unsupported. It may be better if drupal was slotted as the architectural > differences between different major versions are significant and migration > between them is not a trivial exercise. https://gitweb.gentoo.org/repo/gentoo.git/commit/www-apps/drupal?id=a4d65ab86c0e0478b81e4ce5a0672000bd5b9628 https://gitweb.gentoo.org/repo/gentoo.git/commit/profiles/package.mask?id=908cbb45d54f2717cb3edde5c1dc015718f644db So I dropped the vulnerable 8.1.10 version and masked the 6.38 release. > HTH. > -- > Regards, > Mick
commit fc20a1ad964731a5394196d52c464f4d60b77607 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: Fri Jan 6 10:24:12 2017 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: Fri Jan 6 10:29:32 2017 www-apps/drupal: Clean 6.38 up (masked for removal), #600124