Re: Fwd: Re: Security support for CMSes

2012-10-08 Thread Jon Dowland 
On Sun, Oct 07, 2012 at 08:41:14PM +0200, Robert Pommrich wrote:
 Putting it back to the list where it came from.

It was already there. I'm not sure what you've done to your mail
configuration, but list mail is working fine: no need to forward
more copies to it.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20121008075253.GB10625@debian

Fwd: Re: Security support for CMSes

2012-10-07 Thread Robert Pommrich 
Putting it back to the list where it came from.

 Original-Nachricht 
Betreff: Re: Security support for CMSes
Datum: Sun, 7 Oct 2012 20:25:11 +0200
Von: Nico Golde n...@debian.org
An: Robert Pommrich leprovokat...@gmx.de
Kopie (CC): lu...@debian.org, secur...@debian.org

Hi,
* Robert Pommrich leprovokat...@gmx.de [2012-10-07 16:01]:
 Am 07.10.2012 12:19, schrieb Peter Viskup:
  Hello everybody,
  I am using Drupal6 from Debian repositories as I thought that Debian is
  taking care of the security fixes and therefore I do not have to take
  care too much.
  Unfortunately one of my sites was cracked and there were none of
  security fixes released in June 2012 by Drupal community backported to
  main release till today. The only 'fixed' version of Drupal6 is
  available on backports.debian.org.
  Do you use Debian versions of CMSes?
  Are you continuously checking the main releases and checking the states
  of Debian packages?
  What are your proposals for running any CMS available in Debian
  repositories?
  Does somebody have similar experience from the past or with another CMS
  from Debian repositories?
 
 you should address the issue to the maintainer lu...@debian.org,
 and the security team [1] (secur...@debian.org or
 t...@security.debian.org), which I put in CC.
 
 Looking at
 
 http://security-tracker.debian.org/tracker/status/release/stable
 
 there are 2 issues which are not fixed in the current stable version of
 drupal6. Perhaps the maintainer and/or the security team overlooked them.

Providing security updates for packages in Debian is still based on
voluntary
work. Therefore it can happen sometimes that either a security fix is
overlooked or no person has committed to provide/release an updated package.
The latter probably applies in this case.

Can you further specify what exactly you mean by cracked? This would be
interesting as even though two CVE ids are marked as unfixed in stable,
none
of the issues qualifies for example to execute code on a remote drupal
installation.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/5071ccca.90...@gmx.de

Fwd: Re: Security support for CMSes

2012-10-07 Thread Peter Viskup 

Overlooked it was not sent to debian-user list.

 Original Message 
Subject:Re: Security support for CMSes
Date:   Mon, 08 Oct 2012 00:07:56 +0200
From:   Peter Viskup skupko...@gmail.com
To: 	Robert Pommrich leprovokat...@gmx.de, lu...@debian.org, 
secur...@debian.org




Hello Nico,

On 10/07/2012 08:25 PM, Nico Golde wrote:

 Hi,
 Providing security updates for packages in Debian is still based on voluntary
 work. Therefore it can happen sometimes that either a security fix is
 overlooked or no person has committed to provide/release an updated package.
 The latter probably applies in this case.


I fully agree on that, understand that and am thankful to everybody
working on Debian project.


 Can you further specify what exactly you mean by cracked? This would be
 interesting as even though two CVE ids are marked as unfixed in stable, none
 of the issues qualifies for example to execute code on a remote drupal
 installation.


I do not know what security issue was used to crack my site - they used
some Drupal weakness to create some php files in Drupal install dir
remotely and without getting SFTP access.
I had a look on the state of the drupal6 package just after and noticed
there are some critical bugfixes not backported to stable branch.
That's all at the very moment.

--
Peter