Drupal 6 core security update for SA-CORE-2018-006 (and mimemail and htmlmail)

by David Snopek on October 17, 2018 - 6:17pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Critical security release for Drupal core to fix multiple vulnerabilities. You can learn more in the security advisory:

Drupal core - Critical - Multiple Vulnerabilities - SA-CORE-2018-006

The following vulnerabilities mentioned in the security advisory also affect Drupal 6:

  • External URL injection through URL aliases - Moderately Critical - Open Redirect

  • Injection in DefaultMailSystem::mail() - Critical - Remote Code Execution

The first vulnerability is in Drupal 6 core, however, the 2nd is only present in the contrib modules: htmlmail, and mimemail. If you don't use those modules, you're not affected by the 2nd vulnerability.

If you have a Drupal 6 site, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Drupal 6 on PHP 7

by David Snopek on September 5, 2018 - 2:59pm

Back in May, we announced that we'd be working on getting Drupal 6 core, and the contrib modules used by our D6LTS customers, working on PHP 7.2 before the end of the year.

This is largely because PHP 5 will be reaching it's End of Life (EOL) on December 31st, and will no longer be supported by the PHP maintainers, which means no more security updates.

How can we help keep your Drupal 6 site secure, if PHP itself is insecure?

Well, that deadline is coming up fast, and in fact, may be coming sooner than December for folks hosted with certain hosting companies!

Acquia just announced that they'll automatically switch all sites hosted on Acquia Cloud to PHP 7.1 on October 1st, less than a month away from now.

Inspired by this (read: some of our customers are hosted on Acquia ;-)) we're going to make a push to get a handful of brave D6LTS customers switched to PHP 7.1 or 7.2 by the end of September.

After proving this out with a handful of sites in September, we'll continue to roll that out to the rest of our customers in October, November and December.

Interested in getting involved? Wondering how much of this will be shared with the community?

Read the rest of the article!

Critical Drupal core security update for SA-CORE-2018-004 (including Drupal 6!)

by David Snopek on April 25, 2018 - 11:53am

Today, there is a Critical security release for Drupal core to fix a Remote Code Execution (RCE) vulnerability. You can learn more in the security advisory:

Drupal core - Critical - Remote Code Execution - SA-CORE-2018-004

This issue also affects Drupal 6 (although, less severely than Drupal 7 or 8). So, we're also making a Drupal 6 Long-Term Support (D6LTS) release of Drupal core and the Filefield module.

Drupal 6 core security update

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

This fix is both for Drupal 6 core and the Filefield module. This is because the Drupal 7 & 8 fixes include changes to the core 'file' module, which isn't in Drupal 6 core, but an equivalent fix applies to the Filefield module.

Here you can download:

If you have a Drupal 6 site, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install security updates for contrib modules (even though they won't necessarily have a release on Drupal.org).

Security Vulnerabilities Affect Your Dev Sites Too

by Will Long on April 18, 2018 - 4:25pm

When Drupalgeddon 2 (SA-CORE-2018-002) happened a few weeks back, we saw plenty of buzz from agencies and other organizations throughout the community who were having patching parties.

Yay for patching! But were you left vulnerable by not updating all of your installations?

If you didn’t update development and staging sites, you may be at risk!

Due to the nature of the vulnerability, from the largest of enterprise applications to the smallest of brochure or hobbyist site builds, all Drupal sites were affected. This includes any testing or staging versions of your site. Depending on how you manage your local development sites, even those may have been exposed too!

Still not convinced? Read more to find out why you need to update ALL sites!

The continuing importance of the Drupal 6 Long-Term Support program

by David Snopek on March 29, 2018 - 12:02am

Drupal 6 reached End-of-Life over 2 years ago, so you might be forgiven for thinking that Drupal 6 and its Long-Term Support (D6LTS) no longer matter.

However, yesterday (March 28th, 2018), there was a HIGHLY CRITICAL security vulnerability announced that affected Drupal 6, 7 & 8 (and even Backdrop).

This wasn't the first Drupal 6 LTS core release (did anyone notice that one?) and it probably won't be the last. And there are still ~65,000 sites running Drupal 6 according to Drupal.org, which were affected by this issue, and could be affected by future issues.

Luckily, the Drupal 6 LTS program is still going, and we got a patch and release out immediately!

But the D6LTS program won't go on forever... at least without users of Drupal 6 continuing to buy support from the D6LTS vendors.

I think this is a good time to remind everyone what the D6LTS program is and why it's still important to the Drupal community...

HIGHLY CRITICAL Drupal core security update for SA-CORE-2018-002 (including Drupal 6!)

by David Snopek on March 28, 2018 - 2:25pm

Today, there is a Highly Critical security release for Drupal core to fix a Remote Code Execution (RCE) vulnerability. You can learn more in the security advisory:

Drupal core - Critical - Remote Code Execution - SA-CORE-2018-002

As we noted last week, this issue also affects Drupal 6! So, we're also making a Drupal 6 Long-Term Support (D6LTS) release of Drupal core.

Drupal 6 core security update

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Here you can download the Drupal 6 patch to fix, or a full release ZIP or TAR.GZ.

If you have a Drupal 6 site, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install security updates for contrib modules (even though they won't necessarily have a release on Drupal.org).

Drupal 6 highly critical security release on March 28th (PSA-2018-001)

by David Snopek on March 22, 2018 - 9:16am

Yesterday, the Drupal Security Team published PSA-2018-001, announcing that there would be a security release for Drupal 7 & 8 on March 28th to fix a highly critical security vulnerability.

The same vulnerability also affects Drupal 6, and so there will also be a Drupal 6 security release shortly after the Drupal 7 & 8 security advisory is published.

We'll be announcing that here, on the myDropWizard blog, as well as in the D6LTS issue queue on Drupal.org.

If you have any Drupal 6, 7 or 8 sites, we highly recommend setting aside some time on March 28th to update all of your sites!

If you're a myDropWizard customer: we'll be sending you the patch or deploying to your site or making a PR (depending on the workflow you have setup with us) as soon as possible once the security advisory is published. As always, we get all security updates out to our customers the same day they're released! This will be no different :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Drupal core security update for SA-CORE-2018-001 (including Drupal 6!)

by David Snopek on February 21, 2018 - 12:37pm

Today, there is a Critical security release for Drupal core to fix multiple vulnerabilities. You can learn more in the security advisory:

Drupal core - Critical - Multiple Vulnerabilities - SA-CORE-2018-001

What makes this release special, is that some of these issues also affect Drupal 6! So, we're also making a Drupal 6 Long-Term Support (D6LTS) release of Drupal core.

Drupal 6 core security update

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

The following vulnerabilities mentioned in the security advisory affect Drupal 6:

  • JavaScript cross-site scripting prevention is incomplete - Critical

  • jQuery vulnerability with untrusted domains - Moderately Critical

  • External link injection on 404 pages when linking to the current page - Less Critical

Here you can download the Drupal 6 patch to fix, or a full release ZIP or TAR.GZ.

If you have a Drupal 6 site, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Are your private Drupal files secure? Check now!

by David Snopek on January 17, 2018 - 10:21am

One of the great things about Drupal, is that it's possible to build a pretty advanced site just by pointing and clicking and configuring things - what we call "site building" in the Drupal universe.

But with all that power, you can also make your Drupal site less secure - and possible to hack! - just by changing configuration settings! We covered other examples of this in a previous article.

Today we're going to talk about one of the most common... and most DANGEROUS: exposing your Drupal private files on the internet.

In this article we're going to discuss how to determine if your private files have been exposed, and also how to fix it.

Read more to find out!

My security resolutions for 2017! #SecurityResolutions

by David Snopek on January 31, 2017 - 11:58am

I'm a member of the Drupal Security Team, and many of the services offered by myDropWizard involve assisting our customers to improve the security of their Drupal sites -- so, I know quite a lot about security and try to be mindful about my own computer use.

However, computer security is an on-going process: it can always be improved and so you're never truly done.

In this article, I'm going to share my personal list of security resolutions for 2017!

Maybe you'll find something you'd like to implement as well?

Or perhaps you'd like to share your own security resolutions for this year?

Please share your thoughts in the comments (or on Twitter)!

Articles about keeping your Drupal site secure!

o