The Drupal project has just released two new versions that fix multiple vulnerabilities, and one of them is considered moderately critical. You can find more info about these issues on the Drupal's blog post by their security team.
Some issues include:
- Password reset URLs can be forged under certain circumstances, allowing an attacker to gain access to another user's account without knowing the account's password
- A malicious users can use the "destination" query string parameter to construct a URL that will trick users into being redirected to a 3rd party website
We have released Bitnami Drupal 6.35 and 7.35 installers, virtual machines and Amazon EC2, Google and Windows Azure cloud images that fix this issue. If you already have a running version of Bitnami Drupal, you can update it with the drush tool.
$ cd /opt/bitnami/apps/drupal/htdocs
$ drush up
$ drush up
We will continue to work on updating and releasing new versions of Drupal-based projects: CiviCRM and OpenAtrium.