Contacting the Security team
In order to report a security issue, or to learn more about the security team, please see the Security team handbook page.
Security public service announcements
Security-related announcements, such as information on best practices. These posts by the Drupal security team are also sent to the security announcements e-mail list.
SA-CORE-2009-002 Drupal core - Administer content types permission
- Advisory ID: DRUPAL-SA-CORE-2009-002
- Project: Drupal core
- Versions: 5.x and 6.x
- Date: 2009-February-11
- Security risk: None
SA-2007-023 - Public service announcement: PHP exploit using Drupal circulating
- Advisory ID: SA-2007-023
- Project: PHP
- Version: PHP 4 < 4.4.3, PHP 5 < 5.1.4
- Date: 2007-October-17
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: unset() hash / index collision exploit using Drupal (CVE-2006-3017)
False Drupal XSS alarm on BugTraq
Someone under the pseudonym "Liz0ziM" sent a false security alarm to BugTraq without first contacting the security team:
http://www.securityfocus.com/archive/1/420671/30/0/threaded
This vulnerability is fixed in Drupal 4.5.6, 4.6.4 and onwards. Drupal's new XSS filter mechanism takes care of all vulnerabilities listed on http://ha.ckers.org/xss.html (and even more).
If you have already updated to at least 4.5.6 / 4.6.4 then you are safe and you do not need to take any action. If you have not updated yet, then we advise you again to do so ASAP.
