Slashdot Mirror

← Back to Stories (view on slashdot.org)

Drupal Update Process Flawed By Multiple Bugs (softpedia.com)

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes: The Drupal CMS, a favorite with large enterprises, has a few bugs in its update process, affecting both the Drupal core update and its modules. The biggest flaw of the three discovered by IOActive researchers allows an attacker to take over the sites via poisoned updates. What's worse is that Drupal's team had known of this issue since 2012, but only recently reopened discussions on fixing the problem.

55 comments

  1. known bugs are for cows by Anonymous Coward · · Score: -1

    Drupa teams learn from wise asian cows. They just shake their tail, and all those nasty bugs fly away. Mooooo!

    1. Re:known bugs are for cows by davester666 · · Score: 0

      Drupal really needs to work with Wordpress on how to do a good update process.

      If there is anything Wordpress knows about, it's buggy CMS software and updating it.

      --
      Sleep your way to a whiter smile...date a dentist!
  2. Derpal by sexconker · · Score: -1, Troll

    Derpal is Wordpress for business / education. It's what you use to host a site when you need some bullshit on the web quickly, you don't care about it being good or secure, and you want someone else to manage the content. (Note that they'll still come to you for help for every single thing.)

    1. Re:Derpal by Anonymous Coward · · Score: 0

      Pretty much this. No serious work should EVER be done in either Drupal or Wordpress if you value security in any minor fashion.

    2. Re:Derpal by Falc0n · · Score: 2

      Must be why the Whitehouse, Weather.com, CARD.com, the New York Stock Exchange, NFL, MLS, and NBA use Drupal. they all certainly don't care for security. *rolls eyes*

    3. Re:Derpal by Anonymous Coward · · Score: 0

      Found the Joomla consultant.

    4. Re: Derpal by Anonymous Coward · · Score: 1

      Agreed. We had a design company build us a new website, and I was excited because it would be easy to modify for non-programmers and the marketing folks would be off us devs' asses. But Drupal has turned out to be a giant fucking mess I wouldn't wish on anyone. I spoke to someone in the Drupal community and their response was "well, if you are going to run Drupal, you should probably pay someone to run it for you." Fuck that. I wanted an Open Source CMS so that I could run it cheaply. What I got a was a headache worse than the old hand-coded site we had before, AND I get to pay more for a bigger server to run both PHP and an RDBMS on it.

      Drupal has been a colossal mistake. I advise others to avoid it.

    5. Re:Derpal by seoras · · Score: 1

      Just before Xmas we had the Joomla patch every version from 1->3 to fix the user agent string attack vulnerability.
      Every Joomla sight I know of cough up it's configuration.php contents causing en-masse password changing.
      http://news.slashdot.org/story/15/12/14/1959231/attackers-can-hijack-joomla-sites-via-user-agent-strings#comments

      All CMS are insecure, it's just knowing where the undiscovered holes are.

    6. Re:Derpal by Anonymous Coward · · Score: 0

      Large organizations have large budgets to hire large and expensive teams to manage content management systems and multiple layers of added security embedded in the server and network layers. Film at 11. Now back to you, Chuck. -PCP

    7. Re: Derpal by Anonymous Coward · · Score: 0

      Yep. We have an internal site that's recently moved over to Drupal on the theory they won't need programmers to update it.

      Updating parts of it requires editing JSON and then running a grunt process that invokes a ruby script.

      Most of the actual content is imported from a database but since I guess Drupalfying it was too hard for the consultants rather than querying the database directly it recreates all the Drupal nodes every hour.

      On the other hand, it's replacing a Java-based website that made liberal use of string concatenation when building database queries.

      Ah, corporate IT...

    8. Re:Derpal by Anonymous Coward · · Score: 0

      multiple layers of added security embedded in the server and network layers

      You'd be surprised how often this absolutely is not the case, and possibly shocked at how often websites for household names are often relegated to side project-like status when placed up against "real" IT and/or other business concerns.

      Yes, even in that lovely little list our Drupal-loving friend rattled off.

    9. Re: Derpal by orasio · · Score: 1

      Fuck that. I wanted an Open Source CMS so that I could run it cheaply.

      "Open Source" doesn't mean that it will run cheaply. In some cases it means just the opposite.
      Also, it doesn't mean "easy". You don't have to pay for licenses, but you still need to do your homework at understanding whether a specific tool suits your use case, at a reasonable cost/effort.

      Drupal is very good if you need to do something hard, like integrate with different applications, build your own modules, or you have a large number of documents, something like that. They use it at my city government, and they do great stuff, they handle a lot of data, a lot of traffic, a lot of services provided to citizens, looking great.

      If you want something easy, you need something easy, like wordpress, or something hosted. It's quite cheap and easy to run. Just need the right tool.

    10. Re: Derpal by Imazalil · · Score: 1

      What in the world are you trying to do with the site?

      Yes, updating a drupal site is a bit of a pain (and going from major version to major version is a real pain), but other than that, it handles content creation and management just fine.

      If you're getting requests from marketing to create new sections or completely new content types with fancy new functionality, then no CMS makes that part easy.

    11. Re: Derpal by Anonymous Coward · · Score: 0

      As with any piece of software, knowledge of how to use it is key. Two years ago I ported a client's Joomla e-commerce website to Drupal 7, and they were amazed at how much easier it was to update, how much faster it was, and how much their customers enjoyed it (and actually complimented the editors). Their revenue went up 1300%, and aside from a crappy inventory system that doesn't output csv files correctly, is 100% automatic where it can be. Now their subsidiaries in other countries are clamoring for a Drupal website to replace their shitty .NET CMS sites.

      It's all in the experience of the developer. Unfortunately, open source means anyone can jump in and build something terrible. Apparently some of us were born knowing everything we'll ever know in life; for the rest of us who aren't blessed in that way, we can learn and make things better.

  3. Web people are idiots by Anonymous Coward · · Score: 0

    Drupal is broken you say? And the developers let boneheaded bugs fester in the codebase for years before deciding to (maybe) think about fixing them?

    Interesting. Remind me, what is Drupal again?

    Drupal [...] is a free and open-source content-management framework written in PHP

    Of course. Why doesn't that surprise me?

    1. Re:Web people are idiots by Anonymous Coward · · Score: 0

      You do know you could replace "Drupal" with any operating system name and "PHP" with C/C++ and have pretty much the same valid statement. How long have Windows and Mac OS and even Linux bugs gone festering for years until someone pointed them out and shamed them into fixing them?

      No codebase or language is 100% secure.

  4. I always hated Drupal by Anonymous Coward · · Score: 0

    But only once I discovered that "Steph the Geek" was into Drupal. Before that I was ambivalent, but she's so lame it skewed my opinion.

  5. Not an issue. by Falc0n · · Score: 4, Insightful

    One of the core reasons why this issue hasn't really been prioritized is because you really shouldn't be live updating your site. Not just Drupal, but I'd argue the same for Wordpress, Joomla, whatever -- its a bad practice. Why?

    Websites are very different from desktop or other normal applications. Most of these apps are tuned to your specific needs, and updates can cause issues. Serious Drupal shops and clients -never- live update their sites. Best practices suggest local or dev updates, which is then tracked by git. Site deployments should go through manual testing at a minimum. Many Drupal hosts don't even allow write access to htdocs -- only the files directory.

    For those who aren't involved in the ecosystem, this article can seem alarming. But as someone who works with Drupal, and its large clients, this is a non-issue. This issue was vetted by the security team, whom are pretty risk adverse; even they didn't believe this met the criteria to be a security issue.

    Should the Drupal update process be improved? Certainly. Is it a 'sky is falling Drupal sites are going to get hijacked?' nope. And for those who DO live update their drupal site, not maintain a git repo for their code, etc, etc.. Good luck. Like an default Linux install (also known to not be secure), Drupal cannot full-proof poor administrator practices.

    1. Re: Not an issue. by Anonymous Coward · · Score: 0

      I agree, only immature Drupal developers would use the UI for updating their site. Any good Drupal developer knows to stay away from the UI way of updating modules because it doesn't allow for recovery when something goes wrong. Git+drush ftw.

      All webapps are insecure. The only secure webapps is one not connected to the Internet.

    2. Re:Not an issue. by DNS-and-BIND · · Score: 5, Insightful

      Serious Drupal shops and clients -never- live update their sites.

      I'm glad things are so great for you on Mount Olympus. Some of us AREN'T serious Drupal shops. We upgrade when the software says upgrade. When things break, like they shouldn't, we get pissed off.

      For those who aren't involved in the ecosystem, this article can seem alarming.

      Yaknow, the whole problem with Drupal is people like you who assume everyone is "in the ecosystem". Drupal has a big issue with it being by developers, for developers. I'm glad you work with large clients - really, I am - but when I the lowly user use a product, I expect it to work. I don't have a security team, I don't have a git repository, I don't have anyone to do manual testing. I just click upgrade when the system nags me to do so. And I think people like you forget or don't care about ordinary Drupal installations that get downloaded and serve pages. The fact that your last remark is borderline derogatory towards anyone who just clicks 'upgrade' I think tells a lot.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    3. Re:Not an issue. by KermodeBear · · Score: 1

      This is one of the reasons I've stayed away from Drupal. The community is pretty awful, in my experience.

      Now that I know they had a patch to move their update request to HTTPS back in 2012 - and ignored it - I'm definitely staying away.

      That's truly amateur hour.

      --
      Love sees no species.
    4. Re:Not an issue. by Anonymous Coward · · Score: 0

      I just click upgrade when the system nags me to do so.

      Please, please, please stick with the simpleton tools which have simpleton recovery processes for when you get simpleton-hacked. Us up here in the biz who have concerns about security are *not* going to allow files which run the website to be writable to the website, which also means there's no way the website is going to be able to update itself. Why the hell would you want it to be able to do that? As soon as a nasty bug is found that allows an attacker to execute in context of the script user, they'll be able to use it to edit the website files to inject XSS/etc into pages that are rendered, and worse. The only directories that are allowed to write on my drupal installs are also not allowed to execute anything via PHP, which protects from such attacks.

      It's great that Wordpress can update 8.7 millions installs overnight after a bad security flaw is found. It's not great that as soon as an attacker MitMs that upgrade process, or is able to take advantage of a zero-day bug on that system, they'll have 8.7 million installs owned overnight.

      Speaking of which, who the hell ever decided that Composer was a good idea? Just how the hell are you supposed to vet all these piddly little chunks of code from every which where all the bloody time every time you update? Holy crap on a cracker batman, just when I thought PHP was going somewhere nice with 7.x, I'm beginning to be forced to use this incredibly misguided schmuck tool, and I'm back to not being able to sleep at night. Pretty sure Oracle must be behind it, for it is surely evil...

    5. Re:Not an issue. by DNS-and-BIND · · Score: 3, Insightful

      Again, I'm glad you're "in the biz". The rest of us aren't. That was the whole entire point of my post. Giving us the finger doesn't help anything.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    6. Re:Not an issue. by turbidostato · · Score: 1

      "Again, I'm glad you're "in the biz". The rest of us aren't."

      While I may not agree with the tone of the parent post, it indeed has a point.

      If you are not "in the biz", probably the right answer is "well, don't mess in the biz, then", the corollary being "pay someone in the biz to do the biz". If you think a bit about it, it seems a reasonable answer in basically any other biz but "computers".

      A somehow more technical answer may be: in order for you to have the comfortability of an "update" button, the program forcibly has to be able to update itself as a request of an external agent: as soon as there's even a minor bug in the process both your site and your data is open for exploitation, so you will have to choose your shit: you either become someone "in the biz", or pay for someone "in the biz", or you know your site and your data will be cracked from time to time.

    7. Re: Not an issue. by Anonymous Coward · · Score: 0

      sudo apt-get install aegir ;drush update

    8. Re: Not an issue. by n0creativity · · Score: 3, Insightful

      Christ, the sense of entitlement flows strong through this one. So let me get this straight. You or your company chose to use a FREE and open source tool to fulfill a requirement. Did you bother to do ANY analysis regarding whether the tool was an appropriate solution? The answer is most certainly "derr... No". Because if you had, you would have quickly realized that while Drupal has the ability to stand up a site within minutes, running a production site of ANY TYPE (internal or external) without any knowledge of how to properly configure, update, test, and deploy said site, is pure stupidity. If manually updating drupal core or any modules is beyond the capability of the person charged with maintaining the site, then Drupal isn't the correct solution for your situation. If you honestly believe that upgrading a production website should take no more effort than a single click of your finger, than your ignorance is reaching true "derptitude" levels. I do believe that the Drupal team needs to make the "easy" button more secure. But if you can't do your job without using the "easy" button, you need to GTFO. Just because you don't have to purchase a license doesn't mean there's no cost involved in running it in production.

    9. Re:Not an issue. by gstoddart · · Score: 3, Insightful

      You've just described good release and change management. It's not unique to Drupal.

      And you would be utterly amazed at just how many places don't do such things. And, depending on the shop, if you feel agile works for you and you're not overly risk averse, you almost eschew such things -- because you are manly and if it breaks such is life.

      I don't use Drupal, and never have. But I do come from backgrounds where you go through a couple of promotions from a dev through to a prod, and test at each step. I do this because I've worked in regulated industries which are well beyond 'risk averse'. I learned to be paranoid in shops where lots of money and possibly human lives were on the line.

      But you would be utterly amazed at just how many people think it's a waste of time, or who will make live updates to a prod system. Far too many in fact. Some days I'm pretty sure Slashdot does it to their detriment.

      Those people can either tolerate some risk, or their employers aren't fully informed of the risks being taken on their behalf. Many places risk is unthinkable.

      Never underestimate just how widespread poor administrator practices are ... a lot of people are lazy, don't care, or are so over-confident you can't but expect them to drive off a cliff.

      I've seen far too many cowboys who always say "it will be fine" or think proper release engineering is a waste of time ... in my experience those people end up red faced and frantic when they finally do hose something beyond easy repair.

      It all depends on the industry you're in, and the consequences of failure. The problem is something you get some idiot who came from a place where the consequences would be minor who come along and fuck up at a place where the consequences aren't.

      Any system can fail spectacularly if you just wing it, do stuff in your live system, and assume you'll never have any problems. Some systems just help you fail more than others.

      --
      Lost at C:>. Found at C.
    10. Re:Not an issue. by Anonymous Coward · · Score: 0

      Then pay for something.

    11. Re:Not an issue. by Anonymous Coward · · Score: 0

      Except:

      1. Drupal downloads are not available via SSH
      2. Drupal only offers MD5 sums of their packages

      It's literally impossible to verify that a Drupal download is good, even if you don't use the official updater.

    12. Re:Not an issue. by Anonymous Coward · · Score: 1

      I abandoned dozens of Drupal modules I maintained because of that community. So glad I've moved on.

    13. Re:Not an issue. by BESTouff · · Score: 1

      That said I tend to agree with the OP on a point: allowing a piece of PHP to auto-update is a recipe for disaster. If you're not "in the biz", use a serious Linux distribution which will handle the packaging and updating for you. That what I do with Owncloud on Debian, and even if I'm a bit behind I'm sure I have a packet correctly updated, which is absolutely not the case with the upstream package. See this article for a discussion about the problem: http://lwn.net/SubscriberLink/...

    14. Re:Not an issue. by Anonymous Coward · · Score: 0

      In case you still didn't get GP's point, it is this -- "PAY UP or SHUT UP".

    15. Re:Not an issue. by Anonymous Coward · · Score: 0

      is it so hard to run apt-get update drupal?

    16. Re:Not an issue. by Anonymous Coward · · Score: 0

      "Drupal has a big issue with it being by developers, for developers."
      That is pretty much spot on. Why are you using it?

      By the way...
      I am using Drupal and so is my company. We would never ever suggest to someone who is not technically inclined to start using Drupal. Even small companies should consider using something else.

    17. Re:Not an issue. by Hognoxious · · Score: 1

      And you would be utterly amazed at just how many places don't do such things.

      Like here, for example?

      The logon problem seems to have gone away (touch wood), but there's been no explanation or announcement as to why. That in itself is pretty shit.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    18. Re:Not an issue. by Anonymous Coward · · Score: 0

      Points if I had them. Parent poster is a douchebag, for use of the term 'best practices' alone.

    19. Re:Not an issue. by Anonymous Coward · · Score: 0

      Even if your not "in the biz" when someone points in the direction of 'best practice' it's often better to shutup and listen. And when someone who 'knows' tell you not to do something, don't do it. Find out why at your leisure.

      In other news, sharp things cut, hot things burn and there no fixing stupid.

    20. Re:Not an issue. by gstoddart · · Score: 1

      Like here, for example?

      Last sentence, 4th paragraph. ;-)

      I did take that swipe for those days when it suddenly says "Slashdot is in offline mode and we currently suck".

      Slashdot absolutely isn't afraid to screw up a live site.

      --
      Lost at C:>. Found at C.
    21. Re:Not an issue. by Waccoon · · Score: 1

      Thanks for this.

      I used to write (and occasionally still do) small, re-distributable scripts meant to be run from shared/virtual hosts. It pisses me off to no end how almost all tools and frameworks are written under the assumption that you'll be running a dedicated server in an enterprise environment where the owner has some kind of admin access to install dependencies separately.

    22. Re:Not an issue. by orasio · · Score: 1

      Serious Drupal shops and clients -never- live update their sites.

      I'm glad things are so great for you on Mount Olympus. Some of us AREN'T serious Drupal shops. We upgrade when the software says upgrade. When things break, like they shouldn't, we get pissed off.

      You can pay someone to worry about that for you.
      It's pretty easy to move to a hosted Drupal service, so you don't have to worry about these issues, and get a nice SLA so you can complain to someone to make your site work for you.

      The web is a spooky place. It's becoming harder and harder to keep your web business online, without a serious team dedicated to secure it.

    23. Re:Not an issue. by rosencreuz · · Score: 2

      Also if we are not supposed to do live updates, why is there such a feature? Is it ok to provide a feature and create security vulnerabilities and then tell 'you shouldn't use it'?

      Are they simply telling Drupal is not for us and we should use something else instead?

      Because of the disappointment and frustration from v8, I'm seriously planning to move the wordpress.

    24. Re:Not an issue. by trawg · · Score: 1

      So I come from a webdev background; our formal practices for clients involve good release and change management, so I'm not a stranger to them.

      However, while things like Drupal and WordPress are often used as the basis for client projects by companies that do that sort of "best practice", I think it's important to remember that for many users, it's basically the equivalent of installing a new application on their desktop computers - they just click a bunch of things and presto, it is online.

      I guess there's an analogy to enterprise desktop environments where the desktops are locked down by IT and users can't install anything on there until it has gone through an extensive process.

      Their shiny new Drupal or WordPress or whatever is now just an application running on someone else's computer. Like most desktop software it's a fully functioning "production" instance.

      This is largely because of cheap hosting, the general "cloudification" of everything, and the externalities of many common hosting problems (e.g., spam, compromised sites being used as botnets, etc).

      Just like casually installing Notepad++ on the desktop, there are plenty of times where setting up a production-only instance of Drupal/WordPress/etc is fine. We can't expect the average user to be an expert in web hosting, or Windows desktop management, or Linux firewall rules, or whatever.

    25. Re:Not an issue. by armanox · · Score: 1

      Even if you are not in the biz, the Drupal update page even tells you not to just upgrade. What does it say to do? Take your site offline, make a backup, and then run the upgrade process and check for errors. Yes, there is a certain level of knowledge required to run Drupal. I didn't find Sharepoint to be much simpler when I worked with that to be perfectly honest (the Drupal site I used to admin still pays me to do updates, a couple years later. The Sharepoint site that I am in charge of...the update status scares me sometimes.

      For the record, I don't have a git repo for Drupal either. I usually create a full backup of the files, modules, and database before updating (and my personal system at home I get to use snapshots for testing)

      --
      I'm starting to think GNU is the problem with "GNU/Linux" these days.
    26. Re:Not an issue. by amicusNYCL · · Score: 1

      Drupal cannot full-proof poor administrator practices.

      When did that become a phrase? What would "full-proof" mean? It's immune to, what, being full?

      "Hey pal, you want the diet whiskey with that?"

      "No, I'll have the full-proof."

      How about "fool-proof"?

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  6. thanks sam by turkeydance · · Score: 1

    news for nerds

  7. Disagree about the actual issues with the article by bjdevil66 · · Score: 2

    Did you actually read the article, or did you just have a bad experience with Drupal (or its community)?

    I agree with the GP comment about the article's concerns. That's not saying there aren't real problems with Drupal as a whole when it comes to usability for noobs, or documentation, or getting enthuiastic community support anymore (it has died off some since the D7 to D8 community schism.

    But come on. It doesn't take a security team to deal with the article issues. And you don't even have to do manual testing after an update. Just use automatic CI testing (Behat, etc.) to ensure the site holds up after an update. travis-ci.org tied to a Github repo for automatic test execution with each new commit is your friend.

    Finally, if you aren't using version control (such as Git) for professional web development - Drupal or not - that's irresponsible, unprofessional, and dangerous. It's like driving drunk without insurance in someone else's car. Sooner or later it's gonna catch up with you - and if you're managing a web site that does more than serve a simple brochure site, that car crash is not gonna be pretty.

    Seriously - get with the times. Use Git. Learn "git clone", "git init", "git add somefile.php", "git commit", "git push", "git fetch" (and "git pull"), "git diff", "git log" "git stash", "git reset --hard HEAD~1 (or the commit's hash)" (and what --soft and --mixed mean vs. --hard), "git revert", and you're ready to do 99% of anything you'll ever need to do with Git. It's just not that hard or scary. Really. If you want ridiculously hard, try using the superfluous, bullshit Database API in Drupal 7 to anything beyond a SELECT query. Talk about a waste - was db_query() with sanitation really not good enough, Dries? Backdrop got that part right... :)

  8. Bullshit by Anonymous Coward · · Score: 0

    1. Drupal doesn't have an autoupdate process; all updates have to be done manually
    2. Only an idiot updates a live production machine before testing any and all updates on a dev machine first
    3. Once an update is tested you update by uploading from your dev server to the production server so there's no middle man
    4. WTF is with this stupid FUD and the modded up idiot that knows nothing about Drupal (looking at you DNS-and-BIND)?

  9. Drupal, your local POS by Anonymous Coward · · Score: 0

    Drupal might be nice if you like snapshot "mine looks like his, looks like the default" websites, but that's what it amounts to. Drupal is a POS. If you want to make any non-standard change, you have to take what is already there (oh noes, never modify the original), make a copy, then hack on that. And if what you want isn't already there, then you are fucked. Been there, done that. Next come the weenies saying "but its all there!" And no its not. I spent a lot of time debugging a druapl book teaching drupal. The API had changed massively, and no one gave a shit about having something that works. Now its kinda wacked: I had built a system so that I could just drop in a new version of Drupal, and I wouldn't even have to decompress the file for the upgrade and all the extras to be upgraded (and I remember so-called 'developers' having a hard time with that. But its a poorly documented, piece of shit. Development took about 20 times a long to do even simple things as any other kind of site. "Oh, but its enterprise" and my response is "so is anything else". Its all bits flowing, and the databases are common, and the backend and the flow of bits isn't this, this is just site content, and everyone else does it too, and just as easily. The others can be as advanced (actually more so), but Druapl is crap. Why would anyone build a highway with hairpin turns and steep grades on a flat plane? But Drupal insists its the right way to go. Stupid.

  10. Drupal rocks :) by amoeba47 · · Score: 3, Informative

    As someone who has developed with Drupal for several years, I just want to add a positive perspective to balance the expected usual negative comments here. Drupal is a great CMS and web application framework. Extensible and flexible it can be adapted for many applications. Moreover, the Drupal community is knowledgeable and helpful. Growing from strength to strength with each release, I love working with Drupal. That is all.

    1. Re:Drupal rocks :) by amicusNYCL · · Score: 1

      Thank you. The check's in the mail.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    2. Re:Drupal rocks :) by Anonymous Coward · · Score: 0

      Drupal is the kindest, bravest, warmest, most wonderful CMS I've ever known.

  11. php ssl certification validation by Ice+Station+Zebra · · Score: 1

    If I remember right, php didn't start checking peer ssl certs until 5.6. Then it doesn't really matter if http or https is used because php wouldn't even notice if the cert was invalid if you aren't on php >= 5.6.

  12. Not how enterprise Drupal is updated by Anonymous Coward · · Score: 0

    Most enterprise Drupal installations (as opposed to small businesses or individuals who happen to have Drupal sites) use the following process to update:

    - Have a local build script (typically using drush)
    - Build locally
    - Commit to git repo
    - Push update to the server

    Unless I'm mis-reading the article, I don't believe this process is effected by the bug described.

  13. Response from the Drupal security team by netol · · Score: 1

    Below are some quotes of the critical issues from the blog post and the Drupal Security Team’s analysis of the risks: https://groups.drupal.org/node...

    1. Re:Response from the Drupal security team by Anonymous Coward · · Score: 0

      Fucking OOPS. And this was open HOW long before they fixed it?

      Adult supervision fail.