Drupal 4.5.8 / 4.6.6 / 4.7.0-beta6 fix four security issues!

New versions of Drupal are out for the 4.5.x, the 4.6.x and the 4.7.0-beta branches which fix 4 (in words: four) security issues from four different categories, namely: access control bypassing, cross-site scripting, session fixation, and mail header injection.

All the gory details are available in the release announcement and the four advisories: DRUPAL-SA-2006-001, DRUPAL-SA-2006-002, DRUPAL-SA-2006-003, and DRUPAL-SA-2006-004.

Upgrade now!

Warning: If you're using 4.5.x, the patches for DRUPAL-SA-2006-003 will not fix the security issue immediately. You have two options: a) upgrade to 4.6.6 instead of 4.5.8, or b) upgrade to PHP >= 4.3.2.

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

New Version released

The new version of Drupal was released on the 15th January. The security issues appear to have been dealt with. You can download the new version here: http://ftp.osuosl.org/pub/drupal/files/projects/drupal-5.0.tar.gz

Security Advocate

This is good. Drupal knows how to get the people. People look after security and Drupal was good at that. I myself am a security advocate. I am always considering my security over the Internet the same way I am
Considering Home Security Systems
for my own home.

Jim Bouree
http://www.gethomesecurity.info/

Unofficial debs for the 4.6.x series

Do you know if anybody is maintaining unofficial debian packages for the Drupal 4.6.x series?

Drupal 4.6 Debian package

Nope, sorry, I don't know of such packages...