by David Snopek on May 24, 2017 - 9:30am

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Critical security release for the AES encryption module.

The AES module provides an API for encrypting and decrypting data via AES. It also allows storing Drupal passwords encrypted in the database (rather than hashed) which can allow site administrators with high enough permissions to view user passwords.

Previously, the module implemented AES poorly, such that the encryption was weakened and could have potentially made it easier for an attacker to decrypt given enough examples of the encrypted data.

(A note about the timing of this release: the AES module was unsupported on March 1st, and we started working on a fix right away in the D6LTS queue. We usually release D6LTS patches the same day the D7/D8 patches are posted or two weeks after a module is unsupported, however, in this case we had only a single Enterprise customer using AES and so we worked on it according to a timeline dictated by them, which involved testing their custom modules using the AES API with their team. So, we're releasing this after it's been fully tested and deployed for our one affected customer - if more customers had been affect it would have been released same-day, as usual.)

Here you can download the Drupal 6 patch.

If you have a Drupal 6 site using the AES module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Want to read more articles like this?

myDropWizard.com blog Subscribe to the myDropWizard.com blog and recieve e-mail updates when new articles are published!

Comments

Hey David, there's one thing I always wonder. What could be the reason to stay on Drupal 6 now, with the migration being made a lot simpler and all? :)

Hey! It really depends on the organization: Can they afford the migration right now? What additional value can they gain by migrating to Drupal 8? Even if the process is simpler, it can still take quite a long time and be pretty costly. If there isn't something new they want to do with there site to provide them with additional value, it can be hard to justify rebuilding a site that's essentially the same, when there's other projects (non-web ones) competing for the same budget which will provide additional value to the organization.

I wrote an article about this quite a while ago now:

https://www.mydropwizard.com/blog/why-you-shouldnt-upgrade-drupal-6

Much of what I wrote there is out-of-date now (Drupal 8 is a lot more ready!) but the high-level idea still applies: wait until the right time for your organization, it'll be cheaper, even if you have to pay for D6LTS in the meantime.

Add comment

o