VBO for drupal 6 is no longer maintained due to security issue

Thanks for the head's up, @googletorp! I'd seen the SA on VBO, and so had started planning a new release on the 2.x branch, but this'll mean quite a bit more work.

Let's start by evaluating to what extent this exposes Aegir deployments.

The module doesn't sufficiently guard user entities against unauthorized
modification. If a user has access to a user account listing view with VBO
enabled (such as admin/people when the administration_views module is used),
they will be able to edit their own account and give themselves a higher role
(such as "administrator") even if they don't have the "'administer users'"
permission.

This vulnerability is mitigated by the fact that an attacker must have access
to such a user listing page and that the bulk operation for changing Roles is
enabled.

Unless I'm mistaken, we don't use any such user admin vbo pages. So there isn't a pressing security reason to do an immediate release.

AFAICT, the fix here would be to remove vbo from our make files and dependencies, and rebuild our views as regular table displays.

This doesn't really affect Aegir, but we need to decide what to do, because 6.x version is now removed from d.o, I think?

They're looking for a new maintainer in #2516976: Fix security issue and make release to bring back D6 releases

I've volunteered in the interim to maintain VBO 6.x.

Hopefully I have time today to patch devshop and Aegir to use something that doesn't break install, then, maybe get time to fix VBO itself.

Any help is appreciated!

Switching the version to 1.x seems to have done the trick.

I've pushed the change the 6.x-2.x branch.

Can someone give the install a whirl and mark as Fixed if it works?

Thanks!

I let Jenkins do an extra build, which succeeded - http://ci.aegirproject.org/job/P_Aegir_Puppet_Module_functional_test_Aeg...

However that test has not failed the last few days either...

Included in the 6.x-2.5 release