by David Snopek on May 25, 2016 - 11:26am

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for XML sitemap to fix a Cross-Site Scripting (XSS) vulnerability.

The module doesn't sufficiently filter the URL when it is displayed in the sitemap.

This vulnerability is mitigated if the setting for "Include a stylesheet in the sitemaps for humans." on the module's administration settings page is not enabled (the default is enabled).

Download the patch for XML Sitemap 6.x-2.x (also works with 6.x-2.1, the latest release), 6.x-1.x or 6.x-1.2.

If you have a Drupal 6 site using the XML sitemap, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Want to read more articles like this?

myDropWizard.com blog Subscribe to the myDropWizard.com blog and recieve e-mail updates when new articles are published!

Comments

Since 31st of May I am getting "There was a problem determining the status of available updates for your version of Drupal" from my installation of mydropwizard. I had version 1.3 and I updated to 15, but the message remains... is there anything happening in your servers?

Can you open an issue in the queue, and give the IP that your server uses for out-going requests? Then I can check for your IP in our logs and try to see what's happening. We've had a number of people get blocked by our firewall.

Add comment

o