by David Snopek on March 28, 2018 - 2:25pm

Today, there is a Highly Critical security release for Drupal core to fix a Remote Code Execution (RCE) vulnerability. You can learn more in the security advisory:

Drupal core - Critical - Remote Code Execution - SA-CORE-2018-002

As we noted last week, this issue also affects Drupal 6! So, we're also making a Drupal 6 Long-Term Support (D6LTS) release of Drupal core.

Drupal 6 core security update

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Here you can download the Drupal 6 patch to fix, or a full release ZIP or TAR.GZ.

If you have a Drupal 6 site, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install security updates for contrib modules (even though they won't necessarily have a release on

Want to read more articles like this?


Subscribe to the blog and recieve e-mail updates when new articles are published!


Updating via the mydropwizard module is still not possible. Do you know when it will be?

Sorry, I'll update this blog article. It is possible to update via Drush and the mydropwizard module for contrib modules, but not core. I'd love to get that working, but it isn't something we'll have working today.

You'd be best off downloading the release from GitHub here:

Thanks for the great job and the quick answer.
But does it mean you changed your mind since this post on (see below) ?

I'm not sure what you mean? The mydropwizard can still tell you on the "Available updates" report that a new core release is available, and if you have an older release, it'll tell you your core is insecure. But actually updating core via Drush with the mydropwizard module doesn't work currently. Patches welcome :-)

Can't thank you enough--we still have several D6 sites up and running and this was a vital patch. Thank you.

I mean that last month I updated core to the previous update (from 6.38 to 6.41) via the mydropwizard module. I'm sure of this, because it's the only method I use to update my D6 site.
And I've thought I would be able to do the same with this current update.

Oh, interesting! I've never gotten a core update to work that way. You're doing it like "drush up drupal"?

In any case, we haven't changed anything in our process since the release last month. The information about the release is definitely in our update status data. Are you getting a particular error message?

I had only done "drush up", and core updated at once from 6.38 to 6.41.
But when I did it, in admin/reports/updates/list, 6.38 version of core was marked: "security update available". Now the 6.41 version of core is marked: "up to date", even after a "drush core-cron".

Issue solved!
I've just done "drush rf" before "drush up", and core has been updated via the mydropwizard module.

Super cool! I've never had that work for me, but when I've got some more time, I'll try again :-)


A) I can't say enough good things about the mydropwizard module. I've been supporting a couple of D6 sites that for one reason or another can't upgrade to D8 yet and the ability to find and patch provides just that much more help.

B) I did not realize we could use drush with mydropwizard. That is even cooler.


I just read about Will there be another security patch for D6?