Thursday, August 20, 2015

Security release: Drupal 6 and 7

The Drupal project released a new version that fixes several security issues; upgrading your existing Drupal 7 and 6 sites is strongly recommended.

The new version fixes:
  • Cross-site Scripting - Ajax system - Drupal 7: A vulnerability was found that allows a malicious user to perform a cross-site scripting attack by invoking Drupal.ajax() on a whitelisted HTML element.
  • Cross-site Scripting - Autocomplete system - Drupal 6 and 7: A cross-site scripting vulnerability was found in the autocomplete functionality of forms. The requested URL is not sufficiently sanitized.
  • And other changes that you can check in the official security advisory
In response to the new version we have released Bitnami Drupal7 and 6 installersvirtual machines and Amazon EC2,GoogleAzureVMware and DigitalOcean cloud images that fix these issues. There are no new features or non-security related bug fixes in these releases.

You should patch your Drupal version as soon as possible. You can follow the step-by-step instructions via this blog post. Stated simply, you will need to ssh to your machine, ssh to the Drupal installation directory and execute drush.

$ cd /opt/bitnami/apps/drupal/htdocs
$ drush up

If everything goes well, you should see something similar to the following:

Project drupal was updated successfully. Installed version is now 7.39.
Backups were saved into the directory /home/bitnami/drush-backups/bitnami_drupal7/20150820155354/drupal.                  [ok]
No database updates required                               [success]
'all' cache was cleared.                                   [success]

Finished performing updates.                                    [ok]

Have questions about Bitnami Drupal? Post to our community forum, and we would be happy to help you.