Submitted by Laura on October 22, 2007
Dear clients and friends,
Last week, several important security updates were announced for Drupal releases 5.x and 4.7.x. The new current releases of Drupal are now Drupal 5.3 and Drupal 4.7.8. Updating your site to the current version is strongly advised and encouraged.
Security updates are part of the life of any software. Drupal is no exception. Don't let your site get hacked!
Here is more information....
Clients with Support and Maintenance Agreements
Before we get into the security details, our clients with maintenance and support agreements with us can rest assured that we have already completed and/or scheduled all of these updates for the sites you have under contract with us. If you do not have a current agreement with us, but would like us to handle your updates, please contact us to make arrangements to schedule the work.
Affecting Drupal 5.2 and earlier versions
- SA-2007-025 - Drupal core - Arbitrary code execution via installer, rated as highly critical.
- SA-2007-024 - Drupal Core - HTTP response splitting, rated as moderately critical.
- SA-2007-026 - Drupal Core - Cross site scripting via uploads, rated as moderately critical.
- SA-2007-029 - Drupal core - User deletion cross site request forgery, rated as moderately critical.
- SA-2007-030 - Drupal Core - API handling of unpublished comment, rated as not critical.
Affecting Drupal 4.7
- SA-2007-024 - Drupal Core - HTTP response splitting, rated as moderately critical.
- A-2007-026 - Drupal Core - Cross site scripting via uploads, rated as moderately critical.
- SA-2007-030 - Drupal Core - API handling of unpublished comment, rated as not critical.
Remember, don't hack the Drupal code! This way, security updates like these can be a breeze. (For more info on this, see http://drupal.org/best-practices .)
PHP Security Update, too
For everyone running PHP applications (including Drupal), there are critical security updates that you should have done. Most webhosts will do this for you.
This affects both PHP4 and PHP5:
* PHP 4 before version 4.4.3.
* PHP 5 before version 5.1.4.
Information is here:
If you're running Drupal 5, you can see what version of PHP you are running by visiting your Status page at http://[example.com]/admin/logs/status . Otherwise you can check with your web hosting company, or look at your hosting control panel, if you have one (e.g., CPanel, Webmin, Plesk), to see what version of PHP you have.
This is not something to neglect!
Stay Informed about Security Updates
Your Drupal community is collectively watching on the security front. Security updates for Drupal core and the various Drupal contributed modules happen on a regular basis.
To stay informed about security releases, visit http://drupal.org/security where you can sign up for email notifications, or you can subscribe to the Drupal security RSS feed. Don't let your site get hacked!
Our special thanks go out to the diligent Drupal Security Team!
Best,
the pingVision family
PS - This is our first newsletter. This newsletter will carry very occasional important announcements. Rest assured -- it will not fill up your in-box. Thanks!
- Newsletter: pingVision newsletter
