Contacting the Security team

In order to report a security issue, or to learn more about the security team, please see the Security team handbook page.

Security public service announcements

Security-related announcements, such as information on best practices. These posts by the Drupal security team are also sent to the security announcements e-mail list.

SA-CORE-2009-002 Drupal core - Administer content types permission

  • Advisory ID: DRUPAL-SA-CORE-2009-002
  • Project: Drupal core
  • Versions: 5.x and 6.x
  • Date: 2009-February-11
  • Security risk: None

SA-2007-023 - Public service announcement: PHP exploit using Drupal circulating

Heine - October 17, 2007 - 18:29
  • Advisory ID: SA-2007-023
  • Project: PHP
  • Version: PHP 4 < 4.4.3, PHP 5 < 5.1.4
  • Date: 2007-October-17
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: unset() hash / index collision exploit using Drupal (CVE-2006-3017)

False Drupal XSS alarm on BugTraq

chx - January 4, 2006 - 16:15

Someone under the pseudonym "Liz0ziM" sent a false security alarm to BugTraq without first contacting the security team:

http://www.securityfocus.com/archive/1/420671/30/0/threaded

This vulnerability is fixed in Drupal 4.5.6, 4.6.4 and onwards. Drupal's new XSS filter mechanism takes care of all vulnerabilities listed on http://ha.ckers.org/xss.html (and even more).

If you have already updated to at least 4.5.6 / 4.6.4 then you are safe and you do not need to take any action. If you have not updated yet, then we advise you again to do so ASAP.

Syndicate content
 
 

Drupal is a registered trademark of Dries Buytaert.