Hi, * Robert Pommrich <LeProvokateur@gmx.de> [2012-10-07 16:01]: > Am 07.10.2012 12:19, schrieb Peter Viskup: > > Hello everybody, > > I am using Drupal6 from Debian repositories as I thought that Debian is > > taking care of the security fixes and therefore I do not have to take > > care too much. > > Unfortunately one of my sites was cracked and there were none of > > security fixes released in June 2012 by Drupal community backported to > > main release till today. The only 'fixed' version of Drupal6 is > > available on backports.debian.org. > > Do you use Debian versions of CMSes? > > Are you continuously checking the main releases and checking the states > > of Debian packages? > > What are your proposals for running any CMS available in Debian > > repositories? > > Does somebody have similar experience from the past or with another CMS > > from Debian repositories? > > you should address the issue to the maintainer luigi@debian.org, > and the security team [1] (security@debian.org or > team@security.debian.org), which I put in CC. > > Looking at > > http://security-tracker.debian.org/tracker/status/release/stable > > there are 2 issues which are not fixed in the current stable version of > drupal6. Perhaps the maintainer and/or the security team overlooked them. Providing security updates for packages in Debian is still based on voluntary work. Therefore it can happen sometimes that either a security fix is overlooked or no person has committed to provide/release an updated package. The latter probably applies in this case. Can you further specify what exactly you mean by cracked? This would be interesting as even though two CVE ids are marked as unfixed in stable, none of the issues qualifies for example to execute code on a remote drupal installation. Kind regards Nico -- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
Attachment:
pgp5aiAUXUb9S.pgp
Description: PGP signature