Security-related announcements, such as information on best practices. These posts by the Drupal security team are also sent to the security announcements e-mail list.
DRUPAL-PSA-2012-001 - localizations - Cross Site Scripting
- Advisory ID: DRUPAL-PSA-2012-001
- Version: 6.x, 7.x
- Date: 2012-March-07
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
PSA-2012-001 - Hash DOS attack prevention with Suhosin needs a .htaccess edit
- Advisory ID: DRUPAL-PSA-2012-001
- Project: Drupal core
- Version: 6.x, 7.x
- Date: 2012-01-11
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Denial of Service
PSA-2011-002 - External libraries and plugins
- Advisory ID: PSA-2011-002
- Date: 2011-June-15
- Project: External libraries and plugins
PSA-2011-001 - "Drupal security update" social engineering
- Advisory ID: PSA-2011-001
- Project: Drupal core and contrib
- Versions: All versions
- Date: 2011-February-17
- Security risk: Not critical
PSA-2010-002 - Views - Administer views permission
- Advisory ID: PSA-2010-002
- Project: Views (third-party module)
- Versions: 5.x, 6.x
- Date: 2010-June-16
- Security risk: Not critical
PSA-2010-001: Policy on release versions and permissions
- Advisory ID: PSA-2010-001
- Project: Drupal core and contrib
- Versions: 5.x and 6.x and above
- Date: 2010-May-13
- Security risk: None
SA-CORE-2009-002 Drupal core - Administer content types permission
- Advisory ID: DRUPAL-SA-CORE-2009-002
- Project: Drupal core
- Versions: 5.x and 6.x
- Date: 2009-February-11
- Security risk: None
SA-2007-023 - Public service announcement: PHP exploit using Drupal circulating
- Advisory ID: SA-2007-023
- Project: PHP
- Version: PHP 4 < 4.4.3, PHP 5 < 5.1.4
- Date: 2007-October-17
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: unset() hash / index collision exploit using Drupal (CVE-2006-3017)
False Drupal XSS alarm on BugTraq
Someone under the pseudonym "Liz0ziM" sent a false security alarm to BugTraq without first contacting the security team:
http://www.securityfocus.com/archive/1/420671/30/0/threaded
This vulnerability is fixed in Drupal 4.5.6, 4.6.4 and onwards. Drupal's new XSS filter mechanism takes care of all vulnerabilities listed on http://ha.ckers.org/xss.html (and even more).
If you have already updated to at least 4.5.6 / 4.6.4 then you are safe and you do not need to take any action. If you have not updated yet, then we advise you again to do so ASAP.