by David Snopek on January 16, 2019 - 12:47pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Critical security release for Drupal core to fix a Remote Code Execution (RCE) vulnerability. You can learn more in the security advisory:

Drupal core - Critical - Multiple Vulnerabilities - SA-CORE-2019-002

Here you can download the Drupal 6 patch to fix, or a full release ZIP or TAR.GZ.

If you have a Drupal 6 site, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

FYI, there was another Drupal core security release made today (SA-CORE-2019-001) but that one doesn't affect Drupal 6, because Drupal 6 doesn't bundle the Archive_Tar library. However, that vulnerability may affect custom or contrib modules on your site.

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on

Want to read more articles like this? blog Subscribe to the blog and recieve e-mail updates when new articles are published!


Thanx for the post!

Will it helps if i disable phar upload in this way?

In file_save_upload just die() if there is phar file in upload data.

I don't know if scanning for PHAR content in uploads was something that was explored.

However, it's usually the model in Drupal, that you can enter dangerous content (for example, putting XSS code in a node body) but it gets filtered out when displayed (for example, stripping Javascript code in the text format). So, preventing files that don't end in .phar being used as a PHAR fits in with that model. It's also the approach used by a 3rd party library which Drupal is able to leverage, which is nice: all CMS's can share this same solution, rather than each rolling their own.

But if you have a way to detect that a file with PHAR content is being uploaded and die(), that would be an extra amount of protection. I'd love to see that patch if you make it. :-)

Add comment