Security Review 1.3 released for Drupal 6!

by David Snopek on March 24, 2016 - 5:03pm

If you're running a Drupal site of any version (6, 7 or 8), I highly recommend installing the Security Review module and following its recommendations!

What many people don't realize, is that even if you've applied every security update that affects your site, it's possible to introduce vulnerabilities (or make it super easy to escalate a minor vulnerability to a highly critical one) by configuring your Drupal site insecurely.

The Security Review module can identify the most common insecure configurations on your site and tell you how to fix them!

However, if you're planning on keeping your Drupal 6 site running after its End-of-Life (EOL), it's doubly important that you install the Security Review module and harden your site's configuration.

And, yesterday, we released Security Review 1.3 for Drupal 6!

This release is basically the same as 6.x-1.x-dev release has been for a year, but we've been using it successfully with our customers for quite awhile. So, we figured it was time to make a proper release. :-)

However, we intend to continue maintaining the Drupal 6 version of the module and hope to fix (or otherwise close) the last 20 open issues and make more releases.

While most other modules are discontinuing maintenance on their Drupal 6 versions because of the EOL, I think this is one module that needs increased maintenance because of it. :-)

Getting accurate 'Available updates' for Drupal 6

by David Snopek on March 4, 2016 - 8:20am

If you still have a Drupal 6 site and use the 'update' module, you probably noticed that you're no longer getting accurate information about security updates on the "Available updates" report. In fact, it's telling you to disable all your modules, which isn't very helpful. :-)

This is because after February 24th, Drupal 6's End-of-Life date, all Drupal 6 modules on were marked as unsupported. This was always part of the plan, because the Drupal community wants to stop supporting Drupal 6, and leave that work to the Drupal 6 Long-Term Support (LTS) vendors.

However, it had an interesting side-effect!

If a module is marked as unsupported, the 'update' module won't tell you about available security updates for that module!

This is particularly problematic because there were 2 big security releases on February 24th as well: Drupal 6.38 and FileField 3.14. If you didn't update right away on February 24th, then on February 25th, there was already no mention of those security releases on the "Available updates" report. (Those two in particular are temporarily marked as supported, so you should actually see them now.)

And if you only do security updates every few weeks or months, then you could be unaware of even more security releases made before the update status information become unreliable.

(Note: While it's NOT recommended to wait that long, the reality is that people with small budgets can only pay someone to perform updates once a month, or every few months. We apply security updates same day for our customers, but not everyone can afford that.)

However, we've created an alternative to the 'update' module which will allow you to get accurate information about security updates, both past, and going into the future with releases from the Drupal 6 LTS vendors!

First Drupal 6 LTS patch released (for Prepopulate module)!

by David Snopek on March 2, 2016 - 8:49pm

On last week Wednesday, Drupal 6 finally reached End-of-Life (EOL). This means that security for Drupal 6 (both core and select contrib modules) is up to the official Drupal 6 Long-Term-Support vendors -- and we're one of those vendors!

The whole idea of a commercial Long-Term Support (LTS) period is untested (this is a first in the Drupal community) and there's understandably some uncertainty in the community about how this process will work (and if it will work).

Well, it's only a week in, and we've already published our first Drupal 6 LTS patch!

You need to update libc on all your Linux servers NOW!

by David Snopek on February 17, 2016 - 6:35am

If you don't follow security news, you might not be aware of the libc vulnerability published yesterday. The vulnerability was introduced in 2008 - so, it's likely this affects all Linux servers (and desktops, if you run Linux on the desktop) that you're responsible for.

What version of PHP does Drupal 6 need?

by Elliot Christenson on February 12, 2016 - 8:36am

The short answer is: Drupal 6 officially supports only PHP 5.2, but you should use the highest version of PHP that doesn't break your site!

For the longer answer:

PHP 5.2.17 is the latest version of PHP in the 5.2.x branch of the popular programming language. While there are several newer versions, it's a safe bet that legacy code will operate under 5.2.17. However, there are potential security holes with earlier versions of PHP.

How the "official" Drupal 6 Long-Term Support will work!

by David Snopek on January 26, 2016 - 7:51am

As you may know, Drupal 6 will reach End-Of-Life (EOL) on February 24th, 2016. This means the Drupal community (including the Security Team) will no longer support Drupal 6!

However, a small group of commercial vendors will collaborate with the Drupal Security Team to take on Long-Term Support of Drupal 6! And myDropWizard is one of those Drupal 6 long-term support vendors. :-)

In this article, we'll answer the following questions:

  • What specifically will happen on February 24th?
  • What is the official Drupal 6 LTS?
  • How will the process work?
  • What will customers need to pay for?

Read more for the answers!

Drupal 6 Long-Term Support ... for after official support ends!

by Elliot Christenson on November 12, 2015 - 8:19pm

In case you haven't heard, the Drupal project is discontinuing "official support" for Drupal 6!

Typically, only two major versions of Drupal are supported at once: the latest version, and the previous one. Right now, that means Drupal 7 and 6 are supported.

But when Drupal 8 is released on November 19th, 2015, Drupal 6 will only be officially supported for an additional 3 months (until February 24th, 2016).

Of course, you'll need to update to Drupal 7 or 8 eventually!

But what if 3 months isn't enough time for you to upgrade?

We're happy to announce Long-Term Support (LTS) for Drupal 6, in order to keep your site going long after the end of official support!

Read more to learn what the end of official support means, and the details of our Drupal 6 LTS.

Understanding Drupal Security Advisories: Vulnerability type

by David Snopek on October 5, 2015 - 9:09am

Every Wednesday, the Drupal Security Team publishes "Security Advisories" (or SA's) to tell users about security vulnerabilities in Drupal core and contrib modules, with advice on how to solve the issue so that their site is secure.

This is the second in a series of articles about how to better understand all the information in a security advisory, so that you know how to take the appropriate action for your site!

There are several different types of security vulnerabilities, each with a cryptic (and highly technical) name like Cross Site Scripting (XSS) or SQL Injection.

There's plenty of technical articles on the internet explaining what those mean from a coder perspective, including how to prevent them (by writing better code) or even how to exploit them.

But what do they mean for you, the site builder or site owner?

The most important question for you is: If an attacker exploits your site with a particular vulnerability, what will they be able to do to your site or users?

Of course, you should take action on any security advisory that affects your site as soon as possible (or hire someone else to do it). But what could happen if you didn't?

Some vulnerabilities would allow an attacker to completely take control over your site, whereas others would only allow them to access some non-public data. How can you tell which are which?

Read more to learn how the different vulnerability types could impact your site or users!

Understanding Drupal Security Advisories: The Risk Calculator

by David Snopek on September 15, 2015 - 9:06am

Every Wednesday, the Drupal Security Team publishes "Security Advisories" (or SA's) to tell users about security vulnerabilities in Drupal core and contrib modules, with advice on how to solve the issue so that their site is secure.

This is the first in a series of articles about how to better understand all the information in a security advisory, so that you know how to take the appropriate action for your site!

Not all security vulnerabilities are equal!

Some are highly critical and require immediate action (like SA-CORE-2014-005, aka Drupalgeddon, was) or your site could be irrepairably damaged and you'll have to restore from backups.

And while you should take action on any security advisory that affects your site as soon as possible (or hire someone else to do it), some security vulnerabilities present less risk, so you might choose to delay updating and focus on more important things in your business or personal life.

But how do you make that decision?

All security advisories come with a "Security risk" that is generated by the Risk Calculator, which is where the labels like "Less Critical" or "Highly critical" come from.

However, those labels aren't very instructive because they don't really tell you what you're at risk of. 

Each security advisory also includes the full set of values provided to the Risk Calculator - which contain a wealth of information about the vulnerability - you just need to know how to decode and understand it.

That's what this article is about!

Read more to learn how to understand the Risk Calculator used in Drupal Security Advisories!

Articles aggregated for consumption on Drupal Planet!