Highly critical Drupal security update

Drupal’s Security Team have announced that at 17:00 BST today, they will be releasing security updates to several contributed modules for Drupal. Full details can be seen in the security announcement.

These updates have been marked as Highly Critical, so should be taken very seriously, with an expected risk score of up to 22/25.

While this doesn’t happen all that often with Drupal sites, it is worth making sure you’re clear about the potential risks and the action that you need to take. Attending to this for our clients is a top priority for Torchbox today (if we manage your Drupal website, then please see below for information about the action we’re taking).

What this means for you

Depending on which modules are installed, there is a chance that your site may be at risk from remote code execution (the ability for an attacker to trigger arbitrary code execution on a vulnerable, remote Drupal installation). The affected modules are used on somewhere between 1,000 and 10,000 sites.

If the at-risk modules are not updated immediately after the upcoming security announcement, there is a chance that your site, and possibly the entire server that your site is hosted on, could be compromised, possibly resulting in your data being accessed, a loss of data, or downtime.

What you should be doing about it:

  • Ensure you have an up-to-date backup of your site - both codebase and database.
  • Watch for the upcoming announcement to know which modules need updating to which version - Drupal core is not affected. This announcement will be made at 17:00 BST today (13th July). It will be worth keeping an eye on the contributed module security advisories list.
  • Patch/update your modules after the announcement as soon as possible.

If your site stores sensitive data, it may be best to patch your site in isolation so that it isn’t exposed to this risk at all - i.e. update an offline copy of your site and overwrite your live site with it.

If you’re a Torchbox client then be assured that we’re:

  • Auditing all sites that may be vulnerable to this security risk.
  • Gathering as much information as possible about what these threats are likely to be, ahead of the official release.
  • Ensuring we have developers available to cover updates as soon as possible after the announcement.

It’s well worth subscribing to the Drupal Security Team’s email announcements as they’re an invaluable way of keeping up to date with any potential threats. This can be found from your drupal.org profile page by visiting Edit > My newsletters.

Drupal 6

It’s unknown whether these updates will affect Drupal 6, so it will be worth keeping an eye on https://www.drupal.org/project/d6lts as they’re likely to release information regarding this.


Paul VetchClient Services Director