Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By fago on
it seems that there has been discovered a vulnerability in phpxmlrpc, which i think drupal is using too.
i've already submitted this to the security team by the contact form.
Comments
XMLRPC Vulnerability: Some more links
In this forum topic they claim Drupal is among some of the vulnerable applications.
This one is an explanation of the problem in XOOPS.
Is the problem just not checking what's received through XML-RPC? is Drupal vulnerable to this?
-- gz
Yes.
Yes. A new Drupal release will be released later today.
Uwe.
--
hermann-uwe.de | crazy-hacks.org | unmaintained-free-software.org
Mailing list for security updates
Is there a specific drupal mailing list for security updates. I just happened to log in yesterday to see the announcement and patched immediately, but would like to be informed by email for critical security updates.
thanks in advance,
mitomac
Mailing list
We sent out an e-mail to the Drupal newsletter mailing as well as to the other Drupal mailing lists. In addition, notification e-mails were sent to Secunia and Bugtraq. Nonetheless, creating an announcement mailing list sounds like a good idea.
Use newsletter
We definitely don't need yet-another-mailing-list -- the newsletter list is an appropriate place to use for announcements as well -- e.g. news and announcements.
A web page & RSS feed would be better
My suggestion: create a drupal-security-bulletin (or drupal-important-bulletins, or something similar) web page with RSS feed. Preferably listing each Drupal release version and its known security status.
Relying only on email, or on searching the forums, is an inefficient way to stay aware of important status updates.
My site was successfully defaced by an attacker who exploited this vulnerability. It would have been nice to have a static location to check for issues like this yesterday ...
(not pointing fingers; just commenting).
-Bryan Lockwood
http://adminfoo.net
Which files
Can someone tell which file (or files) where changed to fix this?
Thanks
as posted
as posted here you can use this patch for 4.6.1
re: xmlrpc, is this ok?
I replaced my (wasn't it the?) comment module last week or so when it was first offered as a choice and today I just replaced the xmlrpc(s).inc files with the ones in the new tarball.
Am I covered? Using 4.5.x, I'm still too chicken to do a full upgrade.
--You talk the talk, but do you waddle the waddle?
If you replaced the
If you replaced the xmlrpc*inc files with those from the 4.5.4 release, you should be safe. But please also check that you applied the filter-4.5.3.patch, which fixes a similarly serious security issue.
Uwe.
--
hermann-uwe.de | crazy-hacks.org | unmaintained-free-software.org
Vulnerability hits Netcraft News
Expect more inquiries about this: It's the lead story in today's issue of the Netcraft Newsletter:
see http://news.netcraft.com/archives/2005/07/04/php_blogging_apps_vulnerabl...
My upgrade process
On the release announcement page for 4.6.2 it said to either follow the instructions in INSTALL.txt or to patch. Well, in INSTALL.txt it said this funky process of doing a backup, removing all files, then applying the new files. Hmmm....
Instead I did:
and let the patch program take care of it. Seems to have worked fine.
David Herron - http://7gen.com/
+ David Herron - 7gen.com/, The Long Tail Pipe, davidherron.com/drupal-blogging-hints
interesting, but did you not
interesting,
but did you not mean:
but all the tips, tricks and ready to use patches can be found in the announcement of the security-fix release.
---
if you dont like the choices being made for you, you should start making your own.
---
[Bèr Kessels | Drupal services www.webschuur.com]