Drupal 7.32 is an Absolutely Necessary Update
We’re accustomed to the Drupal security team releasing security fixes.
Fortunately, most of the fixes were relatively minor. They either impacted a small group of sites, or they were unlikely to lead to your site being hacked.
Let’s take a brief look at the 4 previous Drupal security advisories in 2014:
- Drupal 7.31: A possible denial of service, so your site could be inaccessible
- Drupal 7.29: A possible denial of service, so your site could be inaccessible
- Drupal 7.27: Some private information could possibly be leaked from people using multi-step forms
- Drupal 7.26: It’s possible to take over an administrator account, but only if they’re using OpenID
None of those issues were absolutely critical for all sites.
Drupal 7.32 is different. All site owners need this security fix.
Drupal.org has an FAQ on this security release:
“Unlike typical security advisories released for Drupal, the nature of this vulnerability provides a way for an attacker to create an exploit without needing an account or tricking someone into exposing confidential information. “
In short, the issue fixed by 7.32 could allow an anonmyous attacker to compromise any Drupal site. It’s the most serious Drupal security issue in a long time.
You should update. Now.
Where is the security issue?
The problem file is /includes/database/database.inc
In the database.inc file.
Here’s the old, vulnerable code, starting at line 735:
Here’s the new, safer code, again starting about line 735:
So, replace this line in database.inc:
foreach ($data as $i => $value) {
with this line:
foreach (array_values($data) as $i => $value) {
Summary
You can update just the single line in database.inc, or you can do a full Drupal update to 7.32.
But, you must update.
Nice article!!!!!
can I apply the patch directly to the older version e.g. 7.15
Hi Simon. Yes, you can do that.
Hallo there, Is it possibel that there are no difference between the scriplines above?
Greating Will
Yes, a very small change