pingVision Interactive Design + Development for Drupal websites http://pingv.com/node/3582/atom/feed 2005-08-15T02:10:59-05:00 Drupal 4.6.3 update http://pingv.com/blog/laura/200508/drupal-4-6-3-update 2005-08-15T00:41:15-05:00 2005-08-15T02:10:59-05:00 Laura We just updated pingVision to Drupal 4.6.3, a security-fix that addresses another xmp-rpc breach:

The Drupal project has released version 4.6.3 of its open-source content management platform. Drupal 4.6.3 is a maintenance release that fixes problems reported using the bug tracking system. Drupal 4.6.3 also fixes a new security vulnerability in the third-party XML-RPC library that Drupal ships with. Since the same bug is also present in the Drupal 4.5 series, Drupal 4.5.5 is released as well. If you cannot upgrade at once, we strongly suggest that you remove the xmlrpc.php file from your Drupal installation's root directory. The xmlrpc.php file is used only for Drupal to receive XML-RPC calls.

Anyone running Drupal should update immediately. The download tarball is here. Also, if you are running Drupal 4.5.x, there is an update for you here.

If you cannot do the update right away, or do not know how, here is the short-term fix:

If you cannot upgrade immediately, you can secure your site by removing the XML-RPC server: simply remove the file "xmlrpc.php" in the root of your Drupal directory.

This will prevent you from using a program like ecto to post to your site, but it will protect your site from the newly discovered security vulnerability.

---

Update: If you are running CivicSpace, a security advisory is here.

]]>