We simply run them all (with the client doing q/a before deployment if it's more than a simple upgrade) rather than attempt to sort through whether or not a specific security issue applies to a given site at this time (which could change tomorrow if the site configuration changes). We offer a maintenance plan (separate or included with a monthly retainer) to all our hosted clients that includes all security updates. While it may be exploitable for a given site (if the site has error-reporting-to-screen enabled - which goes against best practices), any of the many security updates to contrib may be exploitable for a given site as well depending on the site's configuration and depending on who the site defines as "untrusted" users. Really this security update is no different from the many that happen in contrib every year. I'd love to hear how you deal with these potentially tough conversations, and what you've learned from them. Here's a link to the official announcement: Thank you for your understanding and continuing business! Please feel free to contact me should you have any questions. The recent high profile Sony Playstation Network security breach being a potent example of what can go wrong. If your site were not built using Drupal, it's likely that this issue would have gone undetected and could have resulted in significant financial cost. I feel strongly that this update should be viewed as a showcases the value of Drupal and Open Source projects. ![]() If you need us to address any issues, they will be addressed on a T&M basis. There should be no downtime associated with the patch, but you may wish you review the site for possible issues/changes. ![]() We're currently estimating this task as a 1 hour line-item billed at your normal hourly rate, however should complications arise it's possible that it could take more time. Please let us know if you will be able to schedule a software update within the next few weeks yourself, or we can implement the patch on a time and materials basis. Since this represents a significant danger to the data on your site and machines within our hosting environment we are considering this update to be mandatory. Since you currently have an Extended Service Agreement with us, we're recommending scheduling the fix as part of our monthly allotment of hours.ī. We're currently recommending implementing this ASAP patch to avoid any issues.Ī. There was a significant security flaw identified in the version of Drupal your site is running that was fixed in a security patch that was released released on May 25. Here's the email that we drafted up and shared with our customers (please feel free to use it, rewrite and share if it proves useful): While I feel strongly this is illustrates the value of Drupal and Open Source, it can be a significant challenge to talk to your customers about this. With the recent release of versions 7.2 and 6.22, a significant Drupal security flaw in 6.x has been identified and fixed. 5 Signs You Need AWS Cloud Migration Consulting.Drupal 7 sites on Linux web servers are vulnerable with certain file directory structures, or if a vulnerable contributed or custom file access module is installed.ĭrupal 9 and 10 sites are only vulnerable if certain contributed or custom file access modules are installed.All Drupal 7 sites on Windows web servers are vulnerable. ![]() However, in this case we have chosen to apply Drupal Steward security coverage to test our processes. We would normally not apply for a release of this severity. Because this vulnerability is not mass exploitable, your Steward partner may respond by monitoring-only, rather than enforcing a new WAF rule. This advisory is covered by Drupal Steward. Review the release notes for your Drupal version if you have issues accessing private files after updating. Some sites may require configuration changes following this security release. This may result in users gaining access to private files that they should not have access to. The file download facility doesn't sufficiently sanitize file paths in certain situations.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |