Overlooked it was not sent to debian-user list.
-------- Original Message --------
Subject: Re: Security support for CMSes
Date: Mon, 08 Oct 2012 00:07:56 +0200
From: Peter Viskup <skupko...@gmail.com>
To: Robert Pommrich <leprovokat...@gmx.de>, lu...@debian.org,
secur...@debian.org
Hello Nico,
On 10/07/2012 08:25 PM, Nico Golde wrote:
Hi,
Providing security updates for packages in Debian is still based on voluntary
work. Therefore it can happen sometimes that either a security fix is
overlooked or no person has committed to provide/release an updated package.
The latter probably applies in this case.
I fully agree on that, understand that and am thankful to everybody
working on Debian project.
Can you further specify what exactly you mean by cracked? This would be
interesting as even though two CVE ids are marked as unfixed in stable, none
of the issues qualifies for example to execute code on a remote drupal
installation.
I do not know what security issue was used to crack my site - they used
some Drupal weakness to create some php files in Drupal install dir
remotely and without getting SFTP access.
I had a look on the state of the drupal6 package just after and noticed
there are some critical bugfixes not backported to stable branch.
That's all at the very moment.
--
Peter
