The Drupal project released a new update that fixes several security vulnerabilities. We strongly recommend upgrading your existing Drupal 8, 7, and 6 sites.
A few of the notable fixes include:
- File upload access bypass and denial of service (Drupal 7 and 8). Specifically, a vulnerability in the File module that allows a malicious user to view, delete, or substitute a link to a file that the victim has uploaded to a form, while the form has not yet been submitted and processed.
- Brute force amplification attacks via XML-RPC (Drupal 6 and 7): the XML-RPC system allows a large number of calls to the same method to be made at once, which can be used as an enabling factor in brute force attacks.
- Open redirect via path manipulation (Drupal 6, 7, and 8): the current path can be populated with an external URL.
Information regarding the additional changes is available in the official security advisory. In response to the new version we have released:
- Bitnami Drupal 8, 7, and 6 installers
- Virtual machines
- Amazon EC2, Google, Oracle, VMware vCloud Air, DigitalOcean, Azure, and CenturyLink cloud images
Our new releases fix the security issues. There are no new features or non-security related bug fixes in these releases.
Do you have questions about Bitnami Drupal or these security issues? Post to our community forum and we will be happy to help you.