Drupal Update Process Flawed By Multiple Bugs

An anonymous reader writes: The Drupal CMS, a favorite with large enterprises, has a few bugs in its update process, affecting both the Drupal core update and its modules. The biggest flaw of the three discovered by IOActive researchers allows an attacker to take over the sites via poisoned updates. What's worse is that Drupal's team had known of this issue since 2012, but only recently reopened discussions on fixing the problem.

Re:Not an issue.

[DNS-and-BIND]

Serious Drupal shops and clients -never- live update their sites.

I'm glad things are so great for you on Mount Olympus. Some of us AREN'T serious Drupal shops. We upgrade when the software says upgrade. When things break, like they shouldn't, we get pissed off.

For those who aren't involved in the ecosystem, this article can seem alarming.

Yaknow, the whole problem with Drupal is people like you who assume everyone is "in the ecosystem". Drupal has a big issue with it being by developers, for developers. I'm glad you work with large clients - really, I am - but when I the lowly user use a product, I expect it to work. I don't have a security team, I don't have a git repository, I don't have anyone to do manual testing. I just click upgrade when the system nags me to do so. And I think people like you forget or don't care about ordinary Drupal installations that get downloaded and serve pages. The fact that your last remark is borderline derogatory towards anyone who just clicks 'upgrade' I think tells a lot.