[teknoids] Major Drupal security updates for contrib modules expected tomorrow

Elmer Masters emasters at cali.org
Wed Jul 13 12:28:04 EDT 2016


Well, that was anticlimactic. Bulletins were issued for 3 lightly used
contrib modules, Coder  https://www.drupal.org/node/2765575, RESTWS
https://www.drupal.org/node/2765567, and Webform Multiple File Upload
https://www.drupal.org/node/2765573. If you happen to have any of these
modules running you should update right away .No CALI sites are affected.

Of the 3 the Coder issue is worst because it's exploitable even if the
module is disabled but present in the web tree.

Thanks,
Elmer.

On Tue, Jul 12, 2016 at 5:09 PM, Elmer Masters <emasters at cali.org> wrote:

> Folks,
>
> The following message is making the rounds of the Drupal community. The
> last time an alert like this went out was back in the Fall of 2014 when the
> issue led to thousands of Drupal sites being compromised in a matter of
> hours.
>
> I'll be applying any applicable updates quickly tomorrow afternoon, so you
> may see a blip in the CALI website.
>
> Of particular note is that since Drupal 6 is no longer supported it isn't
> covered by this announcement but it may still be affected.
>
> Happy patching,
> Elmer.
>
> *From:* security-news at drupal.org
> *Date:* July 12, 2016 at 12:37:55 PM CDT
> *To:* security-news at drupal.org
> *Subject:* *[Security-news] Drupal contrib - Highly Critical - Remote
> code execution PSA-2016-001*
> *Reply-To:* noreply at drupal.org
>
> View online: https://www.drupal.org/node/2764899
>
>  * Advisory ID: DRUPAL-PSA-2016-001
>  * Project: Drupal contributed modules
>  * Version: 7.x
>  * Date: 2016-July-12
>  * Security risk: 22/25 ( Highly Critical)
>    AC:None/A:None/CI:All/II:All/E:Theoretical/TD:All [1]
>  * Vulnerability: Arbitrary PHP code execution
>
> -------- DESCRIPTION
> ---------------------------------------------------------
>
> There will be multiple releases of Drupal contributed modules on Wednesday
> July 13th 2016 16:00 UTC that will fix highly critical remote code
> execution
> vulnerabilities (risk scores up to 22/25 [2]). The Drupal Security Team
> urges
> you to reserve time for module updates at that time because exploits are
> expected to be developed within hours/days. Release announcements will
> appear
> at the standard announcement locations. [3]
>
> Drupal core is not affected. Not all sites will be affected. You should
> review the published advisories on July 13th 2016 to see if any modules
> you
> use are affected.
> -------- CONTACT AND MORE INFORMATION
> ----------------------------------------
>
> The Drupal security team can be reached at security at drupal.org or via
> the
> contact form at https://www.drupal.org/contact [4].
>
> Learn more about the Drupal Security team and their policies [5], writing
> secure code for Drupal [6], and  securing your site [7].
>
> Follow the Drupal Security Team on Twitter at
> https://twitter.com/drupalsecurity [8]
>
>
> [1] https://www.drupal.org/security-team/risk-levels
> [2] https://www.drupal.org/security-team/risk-levels
> [3] https://www.drupal.org/security/contrib
> [4] https://www.drupal.org/contact
> [5] https://www.drupal.org/security-team
> [6] https://www.drupal.org/writing-secure-code
> [7] https://www.drupal.org/security/secure-configuration
> [8] https://twitter.com/drupalsecurity
>
> _______________________________________________
> Security-news mailing list
> Security-news at drupal.org
> Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
>
>
>
>
> --
> Elmer R. Masters
> Director of Technology
> Center for Computer-Assisted Legal Instruction
> emasters at cali.org    773-332-7508
>



-- 
Elmer R. Masters
Director of Technology
Center for Computer-Assisted Legal Instruction
emasters at cali.org    773-332-7508
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.teknoids.net/pipermail/teknoids/attachments/20160713/cdb3c40e/attachment.html>


More information about the Teknoids mailing list