Blog

Drupal 6 core security update for SA-CORE-2020-002

by David Snopek on May 20, 2020 - 11:17am

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for Drupal core to fix a vulnerability in jQuery. You can learn more in the security advisory:

Drupal core - Moderately Critical - Cross Site Scripting - SA-CORE-2020-002

Here you can download the Drupal 6 patch to fix, or a full release ZIP or TAR.GZ.

If you have a Drupal 6 site, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

FYI, there was another Drupal core security release made today (SA-CORE-2020-003) but that one doesn't affect Drupal 6.

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

We're Keeping Drupal 7 Alive for (at least!) 1639 More Days!

by Elliot Christenson on May 7, 2020 - 12:06am

Worldwide, we are obviously in very uncertain times. Jobs are changing, health is changing, work is changing, organizations are changing - but wouldn't it be great if Drupal could sort of just stay the same?

Wouldn't it be great if you could count on your amazing Drupal 7 site to carry you through to whatever is next? Whenever that might be? You can!

We can care for your Drupal website while you care for what matters.

by Elliot Christenson on April 1, 2020 - 10:37pm

Most of us have been caught under-prepared for the pandemic. You're capable of handling your Drupal website - no problemo! However, the safety of your family, friends, and community is your current priority. During this period, don't forget that myDropWizard can help with all of your support and maintenance needs for Drupal 6, 7 and 8. We have three great plans to cover all your potential Drupal needs.

Drupal 6 security update for CKEditor module

by David Snopek on March 18, 2020 - 3:22pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for the CKEditor module to fix a Cross Site Scripting (XSS) vulnerability.

The CKEditor module provides one way to integrate CKEditor into Drupal.

Due to the usage of the JavaScript eval() function on non-filtered data in the admin section, it was possible for a user with permission to create content visible in the admin area to inject specially crafted malicious script.

The problem existed in CKEditor module for Drupal, not in JavaScript libraries with the same names, however, it's highly recommended that you update to the latest version of the CKEditor JavaScript library as well, because it also recently fixed some XSS vulnerabilities.

See the security advisory for Drupal 7 for more information.

Here you can download the Drupal 6 patch or the full release.

If you have a Drupal 6 site using the CKEditor module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Is Your Drupal Site Protected from Cancellation?

by Elliot Christenson on March 4, 2020 - 11:10pm

With world events as they are recently, many events and products have been cancelled. Timelines have been pushed off, budgets have been cut - there is a lot of uncertainty. What is the contingency plan for your Drupal site?

Drupal 9 is coming out soon. What to do to get ready?

by Elliot Christenson on February 5, 2020 - 9:55pm

As you may have heard, Drupal 9 is coming soon. Are you ready for it? What are the steps you can do to be ready? There are 3 main things you can do to prepare, read on!

Drupal 9 is Coming Out in June. What To Do About Drupal 7!?

by Elliot Christenson on January 8, 2020 - 11:41pm

According to Drupal.org, Drupal 9 is scheduled to be released on June 3, 2020. It is scheduled to be released alongside a "LTS" minor version of Drupal 8 at the same time. What happens with Drupal 7?

There are three important things to know - and some associated dates:

  • When does community support end?
  • When does extended support end?
  • What should you do?

myDropWizard will give Extended Support to all current Drupal 7 customers!

by Elliot Christenson on December 19, 2019 - 12:04am

In November 2021, Drupal 7 will be End-of-Life (EOL). To continue getting security updates, you'll need to get Extended Support (D7ES). But if you sign up before EOL, you'll get automatic security updates until then AND a better price when EOL comes.

Drupal 6 security update for Webform module

by David Snopek on December 11, 2019 - 2:45pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Critical security release for the Webform module to fix a Cross Site Scripting (XSS) vulnerability.

The Webform module is for making forms and surveys in Drupal. 

It doesn't sufficiently sanitize token values taken from query strings. If a query string token is used as the value of a markup component, an attacker can inject JavaScript into a page.

See the security advisory for Drupal 7 for more information.

Here you can download the Drupal 6 patch or the full release.

If you have a Drupal 6 site using the Webform module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

What happens when the Drupal Security Team marks a module as unsupported?

by David Snopek on November 13, 2019 - 8:44pm

You may have noticed that today the Drupal Security Team marked 16 modules as unsupported, due to the module maintainer not fixing a reported security vulnerability after a sufficiently long period of time.

Among those modules, there were a few very popular ones like Admininistration Views and Nodequeue, which have have reported ~118k and ~40k sites using them, respectively.

Everytime a popular module is unsupported, there's a certain amount of panic and uncertainty, so I wanted to address that in this article, both for the Drupal community at large, and for our customers in particular, because we promise to deploy security updates the same day they are released.

Read more to see our perspective!

Popular topics

Subscribe to Blog on Drupal 7-8 Support and Maintenance + Drupal 6 Long-Term Support: myDropWizard

We're a Top 40 Drupal Blog!

o