Hello,

We're using a 6.x version of remember_me and I'm wondering whether the "known" security issue in the 7.x version is also present in the 6.x version. See SA-CONTRIB-2017-025. I have a hard time determining whether I need to uninstall the 6.x version at all cost, or if I can patch whatever security issue there is.

Does anyone in here know whether the 6.x version is affected and/or what the security is exactly?

CommentFileSizeAuthor
#6 SA-CONTRIB-2017-025.patch2.37 KBdsnopek
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

decafdennis created an issue. See original summary.

dsnopek’s picture

Generally, the security team doesn't release the details of a vulnerability that got a module unsupported until at least 2 weeks after the SA is published. That would mean this upcoming Wednesday at the earliest.

decafdennis’s picture

That's good to know, thank you. Do you know if they will update the SA, or publish it as a project issue, or...?

dsnopek’s picture

This is still being discussed privately (I'm on the security team :-)). Ideally, someone will step up as new maintainer and release a fixed version for D7! That will be the best way to disclose what the vulnerability is. But if that doesn't happen, then it could end up as a public issue.

decafdennis’s picture

@dsnopek Makes sense. I'd pick up maintenance but I don't use or work with D7 or D8 (yet). I'll keep tracking this issue.

dsnopek’s picture

Status: Active » Needs review
FileSize
2.37 KB

Sorry for taking so long to come back to this! Here's a D6 patch that fixes the same security issue.

dsnopek’s picture

Status: Needs review » Fixed

Patch committed to repo!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.