business

[business][bsummary]

security

[security][bigposts]

Security update: the crazy Drupalians night

Technology: A critical security update was released last night for different versions of the Drupal CMS. If for the moment no attack has been identified, it could be just a matter of hours says the publisher. Prevented upstream, the community spent the night in the starting blocks.



Working with 4 sites under Drupal, the wait has been long and intense for Tris Acatrinei, who also holds a great blog on zdnet.fr. "From the outset, I blocked my entire evening just for that," she told us in the middle of the night. Sage precaution, she had made a backup the day before her data online. "I put all my sites up for maintenance and now, like everyone else, I'm waiting for the release, I saw several people on Twitter say that the 7.58 core was available on the FTP directory but I really prefer to wait that the official team of Drupal Security announces it ".

Drupalians do not shout at the wolf
"Since it's not especially in Drupalians' DNA to cry wolf for nothing, I guess they must have found something beefy," Tris warned. And she was badly right. The flaws could allow hackers to attack a Drupal-based website in different ways and "could completely compromise the site," the editor said today (34 volunteers). What to do a lot of damage in the clear.

A hacker could hack your site from any web page, warned the Drupal project. And this huge hole in the racket does not even force him to connect to a service, or to have administrator privileges. Clearly, anyone can anonymously attack and sink your website. Or take the data.

Drupal warns that if no attack has been recorded for now, it could only be a matter of hours. So patching is important. The vulnerabilities - referred to as CVE-2018-7600 - are at the heart of the software and affect CMS versions 6, 7 and 8 (more information on the Drupal FAQ).

"Reserve time for updates"
The Drupal developers are so worried that they had already warned the community last week without stumbling. The announcement had the effect of a small bomb: it was necessary to prepare for something important. Drupal has released patches for older versions of its latest software - 8.3 and 8.4 as well as the latest version 8.5. And this story makes sure that websites can be updated as soon as possible. A patch 7.x is also available.

"The Drupal security team is inviting you to reserve time for updates, because exploits could be developed in hours or days," the publisher warned last week. If the intention was good, the announcement also had the consequence of overloading the project's servers, making it more difficult to publish and distribute the patches notes The Register.

In hollow this emphasizes the palatability for the tool. Drupal is a content management system that powers more than 1 million websites. Of the 10,000 most popular sites running a known CMS, 9% of them run Drupal according to builtwith.com.

Still, the update seems to have been quite simple done for those who got down to the task as soon as it was released. "No particular problem for me on the update.To see in a few hours or a few days because sometimes there are glitches" evoked Tris Acatrinei.

No comments:

Post a Comment