Drupal security update aftermath

Two days on from Wednesday’s security announcement, there has been some debate in the community that perhaps the Drupal Security Team overstated this security release.

While the number of vulnerabilities ultimately turned out to be low, we believe that the manner in which this was handled by the team was correct. A remote code execution exploit can be every bit as severe as a SQL Injection exploit.

Please note, your site is at risk and may have been compromised already if you haven’t taken steps to update or remove the affected modules.

Bearing in mind that Open Atrium, a very popular Drupal distribution, includes Coder (one of the affected modules) in its suite of modules, there’s no doubt that this was a very far-reaching issue.

We're pleased to report that Torchbox were well prepared for the security updates that were released (and our blog post seems to have helped many others).

Following our own advice, our preparation included:

  • ensuring all potentially affected sites were audited to help us quickly cover any eventuality from the security release
  • developers were assigned sites to ensure an even workload and a timely response

We’re proud to say that all of our affected sites were patched and deployed by 16:30 UTC, just half an hour after the security release, many much quicker than this.


Paul VetchClient Services Director