Drupal security update today - release at noon EDT
20 views
Skip to first unread message
Joanna DiPasquale
Jul 13, 2016, 10:39:40 AM7/13/16
to islandora
Hi all,
---------- Forwarded message ----------
From: Cary Gordon <list...@chillco.com>
Date: Wed, Jul 13, 2016 at 2:26 AM
Subject: [DRUPAL4LIB] Drupal security notice - Drupal contrib - Highly Critical - Remote code execution PSA-2016-001
To: DRUPA...@listserv.uic.edu
There is a remote code execution vulnerability that was discovered by the security team. This is, AFAIK, .theoretical at the moment, but it also carries a high risk factor for affected sites.
The affected module list, along with updates for those modules will be released at 1600 UTC today (9AM PDT/noon EDT). We can expect that exploits will be developed and launched within hours of these announcements. In my experience, it is likely that other, related module vulnerabilities will be announced in the next few days and weeks.
The notice is available at https://www.drupal.org/node/2764899 <https://www.drupal.org/node/2764899>
If you do not subscribe to the Drupal Security mailing list, now would be a good time to start (https://lists.drupal.org/mailman/listinfo/security-news <https://lists.drupal.org/mailman/listinfo/security-news>). You can also get updates on Twitter at https://twitter.com/drupalsecurity.
Thanks,
Cary
>
> * Advisory ID: DRUPAL-PSA-2016-001
> * Project: Drupal contributed modules
> * Version: 7.x
> * Date: 2016-July-12
> * Security risk: 22/25 ( Highly Critical)
> AC:None/A:None/CI:All/II:All/E:Theoretical/TD:All [1]
> * Vulnerability: Arbitrary PHP code execution
>
> -------- DESCRIPTION
> ---------------------------------------------------------
>
> There will be multiple releases of Drupal contributed modules on Wednesday
> July 13th 2016 16:00 UTC that will fix highly critical remote code execution
> vulnerabilities (risk scores up to 22/25 [2]). The Drupal Security Team urges
> you to reserve time for module updates at that time because exploits are
> expected to be developed within hours/days. Release announcements will appear
> at the standard announcement locations. [3]
>
> Drupal core is not affected. Not all sites will be affected. You should
> review the published advisories on July 13th 2016 to see if any modules you
> use are affected.
> -------- CONTACT AND MORE INFORMATION
> ----------------------------------------
>
> The Drupal security team can be reached at security at drupal.org <http://drupal.org/> or via the
> contact form at https://www.drupal.org/contact <https://www.drupal.org/contact> [4].
>
> Learn more about the Drupal Security team and their policies [5], writing
> secure code for Drupal [6], and securing your site [7].
>
> Follow the Drupal Security Team on Twitter at
> https://twitter.com/drupalsecurity <https://twitter.com/drupalsecurity> [8]
>
>
> [1] https://www.drupal.org/security-team/risk-levels <https://www.drupal.org/security-team/risk-levels>
> [2] https://www.drupal.org/security-team/risk-levels <https://www.drupal.org/security-team/risk-levels>
> [3] https://www.drupal.org/security/contrib <https://www.drupal.org/security/contrib>
> [4] https://www.drupal.org/contact <https://www.drupal.org/contact>
> [5] https://www.drupal.org/security-team <https://www.drupal.org/security-team>
> [6] https://www.drupal.org/writing-secure-code <https://www.drupal.org/writing-secure-code>
> [7] https://www.drupal.org/security/secure-configuration <https://www.drupal.org/security/secure-configuration>
> [8] https://twitter.com/drupalsecurity <https://twitter.com/drupalsecurity>
>
_______________________________________________
drupal4lib mailing list
questions/help: drupal4li...@listserv.uic.edu
http://listserv.uic.edu/archives/drupal4lib.html
Date: Wed, Jul 13, 2016 at 2:26 AM
Subject: [DRUPAL4LIB] Drupal security notice - Drupal contrib - Highly Critical - Remote code execution PSA-2016-001
To: DRUPA...@listserv.uic.edu
There is a remote code execution vulnerability that was discovered by the security team. This is, AFAIK, .theoretical at the moment, but it also carries a high risk factor for affected sites.
The affected module list, along with updates for those modules will be released at 1600 UTC today (9AM PDT/noon EDT). We can expect that exploits will be developed and launched within hours of these announcements. In my experience, it is likely that other, related module vulnerabilities will be announced in the next few days and weeks.
The notice is available at https://www.drupal.org/node/2764899 <https://www.drupal.org/node/2764899>
If you do not subscribe to the Drupal Security mailing list, now would be a good time to start (https://lists.drupal.org/mailman/listinfo/security-news <https://lists.drupal.org/mailman/listinfo/security-news>). You can also get updates on Twitter at https://twitter.com/drupalsecurity.
Thanks,
Cary
>
> * Advisory ID: DRUPAL-PSA-2016-001
> * Project: Drupal contributed modules
> * Version: 7.x
> * Date: 2016-July-12
> * Security risk: 22/25 ( Highly Critical)
> AC:None/A:None/CI:All/II:All/E:Theoretical/TD:All [1]
> * Vulnerability: Arbitrary PHP code execution
>
> -------- DESCRIPTION
> ---------------------------------------------------------
>
> There will be multiple releases of Drupal contributed modules on Wednesday
> July 13th 2016 16:00 UTC that will fix highly critical remote code execution
> vulnerabilities (risk scores up to 22/25 [2]). The Drupal Security Team urges
> you to reserve time for module updates at that time because exploits are
> expected to be developed within hours/days. Release announcements will appear
> at the standard announcement locations. [3]
>
> Drupal core is not affected. Not all sites will be affected. You should
> review the published advisories on July 13th 2016 to see if any modules you
> use are affected.
> -------- CONTACT AND MORE INFORMATION
> ----------------------------------------
>
> The Drupal security team can be reached at security at drupal.org <http://drupal.org/> or via the
> contact form at https://www.drupal.org/contact <https://www.drupal.org/contact> [4].
>
> Learn more about the Drupal Security team and their policies [5], writing
> secure code for Drupal [6], and securing your site [7].
>
> Follow the Drupal Security Team on Twitter at
> https://twitter.com/drupalsecurity <https://twitter.com/drupalsecurity> [8]
>
>
> [1] https://www.drupal.org/security-team/risk-levels <https://www.drupal.org/security-team/risk-levels>
> [2] https://www.drupal.org/security-team/risk-levels <https://www.drupal.org/security-team/risk-levels>
> [3] https://www.drupal.org/security/contrib <https://www.drupal.org/security/contrib>
> [4] https://www.drupal.org/contact <https://www.drupal.org/contact>
> [5] https://www.drupal.org/security-team <https://www.drupal.org/security-team>
> [6] https://www.drupal.org/writing-secure-code <https://www.drupal.org/writing-secure-code>
> [7] https://www.drupal.org/security/secure-configuration <https://www.drupal.org/security/secure-configuration>
> [8] https://twitter.com/drupalsecurity <https://twitter.com/drupalsecurity>
>
_______________________________________________
drupal4lib mailing list
questions/help: drupal4li...@listserv.uic.edu
http://listserv.uic.edu/archives/drupal4lib.html
Reply all
Reply to author
Forward
0 new messages