Ubuntu
drupal7 package

multiple security issues in drupal7 package

Bug #1262813 reported by Christoph_vW
266
This bug affects 3 people
Affects Status Importance Assigned to Milestone
drupal7 (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Please sync the drupal7 package with Debian 7 - the ubuntu version contains lots of security issues:

http://ftp-master.metadata.debian.org/changelogs//main/d/drupal7/drupal7_7.14-2+deb7u1_changelog

Revision history for this message
Christoph_vW (christoph-apiviewer) wrote :

affects Ubuntu 12.04 LTS

Seth Arnold (seth-arnold)
information type: Private Security → Public Security
Changed in drupal7 (Ubuntu):
status: New → Confirmed
Revision history for this message
albatros (jda) wrote :

The current Drupal package in Ubuntu 14.04 LTS' universe repository is at version 7.26. As such it is affected by multiple security issues.

Revision history for this message
albatros (jda) wrote :

As the Drupal might very likely provide a service exposed to publicly accessible networks, the package should be kept up to date.

Revision history for this message
albatros (jda) wrote :

Backporting only the fixes does not appear to be feasible, but following upstream I supposedly not the right thing to do.

As becomes clear from the version history and security advisories, this leaves a package with quite a few issues in the repository. I believe the package should be removed from the repository if it is not possible to regularly update it. The only negative consequence of removing the package appears to be it might be less convenient to install and remove the package, but in the case of drupal7, this is a rather minor inconvenience. The benefit is clear: removing the package forces users to be aware of the need to actively watch for issues and apply updates, instead of (falsely) relying on the community maintaining the repository to take care of that.

However, it might be possible to follow the upstream releases more closely, but to me it is not clear how to set the necessary macinery in motion, or contribute to the process.

Revision history for this message
Philip Storry (philipstorry) wrote :

Added CVE-2014-3704 - a highly critical SQL injection vulnerability.

See Drupal advisory "SA-CORE-2014-005 - Drupal core - SQL injection" for full details: https://www.drupal.org/SA-CORE-2014-005

This can be fixed with just one file change to /includes/database/database.inc, but I do think we should consider updating to 7.32 as a fix, as this would wrap up six vulnerabilities.

I also agree with the previous commenter that a CMS or framework is something which should be kept up to date to avoid security issues - it's no good keeping web browsers up to date if the web servers they fetch content from are growing ever more insecure.
If that can't be done, then the package should be dropped from the repositories.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Philip, note that that specific bug has been fixed (LP: #1381969) thanks to a fellow user. If you wish to provide debdiffs for the other outstanding security issues we would be happy to sponsor them for all other users.

Thanks

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.