by David Snopek on March 2, 2016 - 8:49pm
On last week Wednesday, Drupal 6 finally reached End-of-Life (EOL). This means that security for Drupal 6 (both core and select contrib modules) is up to the official Drupal 6 Long-Term-Support vendors -- and we're one of those vendors!
The whole idea of a commercial Long-Term Support (LTS) period is untested (this is a first in the Drupal community) and there's understandably some uncertainty in the community about how this process will work (and if it will work).
Well, it's only a week in, and we've already published our first Drupal 6 LTS patch!
Today, SA-CONTRIB-2016-009 was published for the Drupal 7 branch of the Prepopulate module, and we (the Drupal 6 LTS vendors) released a Drupal 6 version of that fix shortly after - you can get the patch here.
This vulnerability is actually relatively serious, as the module previously allowed attackers to set arbitrary values on the PHP $_REQUEST global and set values for hidden fields when creating or editing a piece of content.
As part of our (myDropWizard) offer, we deploy security updates/patches to any of our clients on the same day that a patch is published (including for Drupal 7 and 8 clients) and today was no different. :-)
Anyway, I think this is a great start to the Drupal 6 LTS effort!