It's no longer possible to build the hostmaster with drush, since views 6.x is no longer due to a security issue: [#2516688]. The current download for 6.x-2.4 is still functioning, but further releases will most like have an issue.

Is there plans on what to do with this issue?

Comments

ergonlogic’s picture

Thanks for the head's up, @googletorp! I'd seen the SA on VBO, and so had started planning a new release on the 2.x branch, but this'll mean quite a bit more work.

Let's start by evaluating to what extent this exposes Aegir deployments.

ergonlogic’s picture

The module doesn't sufficiently guard user entities against unauthorized
modification. If a user has access to a user account listing view with VBO
enabled (such as admin/people when the administration_views module is used),
they will be able to edit their own account and give themselves a higher role
(such as "administrator") even if they don't have the "'administer users'"
permission.

This vulnerability is mitigated by the fact that an attacker must have access
to such a user listing page and that the bulk operation for changing Roles is
enabled.

Unless I'm mistaken, we don't use any such user admin vbo pages. So there isn't a pressing security reason to do an immediate release.

AFAICT, the fix here would be to remove vbo from our make files and dependencies, and rebuild our views as regular table displays.

omega8cc’s picture

This doesn't really affect Aegir, but we need to decide what to do, because 6.x version is now removed from d.o, I think?

helmo’s picture

Jon Pugh’s picture

I've volunteered in the interim to maintain VBO 6.x.

Hopefully I have time today to patch devshop and Aegir to use something that doesn't break install, then, maybe get time to fix VBO itself.

Any help is appreciated!

  • Jon Pugh committed 5b0360d on 6.x-2.x
    Fixes #2520332: Install 1.x version of Views Bulk Operations since 1.16...
Jon Pugh’s picture

Status: Active » Needs review

Switching the version to 1.x seems to have done the trick.

I've pushed the change the 6.x-2.x branch.

Can someone give the install a whirl and mark as Fixed if it works?

Thanks!

helmo’s picture

I let Jenkins do an extra build, which succeeded - http://ci.aegirproject.org/job/P_Aegir_Puppet_Module_functional_test_Aeg...

However that test has not failed the last few days either...

helmo’s picture

Status: Needs review » Fixed

Included in the 6.x-2.5 release

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.