by David Snopek on March 2, 2016 - 8:49pm

On last week Wednesday, Drupal 6 finally reached End-of-Life (EOL). This means that security for Drupal 6 (both core and select contrib modules) is up to the official Drupal 6 Long-Term-Support vendors -- and we're one of those vendors!

The whole idea of a commercial Long-Term Support (LTS) period is untested (this is a first in the Drupal community) and there's understandably some uncertainty in the community about how this process will work (and if it will work).

Well, it's only a week in, and we've already published our first Drupal 6 LTS patch!

Today, SA-CONTRIB-2016-009 was published for the Drupal 7 branch of the Prepopulate module, and we (the Drupal 6 LTS vendors) released a Drupal 6 version of that fix shortly after - you can get the patch here.

This vulnerability is actually relatively serious, as the module previously allowed attackers to set arbitrary values on the PHP $_REQUEST global and set values for hidden fields when creating or editing a piece of content.

As part of our (myDropWizard) offer, we deploy security updates/patches to any of our clients on the same day that a patch is published (including for Drupal 7 and 8 clients) and today was no different. :-)

Anyway, I think this is a great start to the Drupal 6 LTS effort!

Want to read more articles like this? blog Subscribe to the blog and recieve e-mail updates when new articles are published!

Add comment