[Hidden-tech] Fwd: Urgent Security issue: Drupal & Wordpress: Denial of service

Rich Roth webmaster at hidden-tech.net
Fri Aug 8 11:52:25 EDT 2014

Previous message: [Hidden-tech] Global changes on HTML website?
Next message: [Hidden-tech] NERDSummit Call for Proposals ends in one week!
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-------- Original Message --------
Subject: 	Urgent Security issue: Drupal & Wordpress: Denial of service
Date: 	Fri, 8 Aug 2014 11:46:18 -0400
From: 	Work <michaelk at tnrglobal.com>

All-

This is a serious security issue. ALL Drupal and Wordpress installations should be updated 
as soon as possible. This is not a “wait and see” exploit- updates (or at the very 
minimum, mitigation) should be handled ASAP.

MK

*_Drupal_*

https://www.drupal.org/SA-CORE-2014-004
*Versions affected*

  * Drupal core 7.x versions prior to 7.31.
  * Drupal core 6.x versions prior to 6.33.

*Solution*
Install the latest version:

  * If you use Drupal 7.x, upgrade to Drupal core 7.31
    <http://drupal.org/drupal-7.31-release-notes>.
  * If you use Drupal 6.x, upgrade to Drupal core 6.33
    <http://drupal.org/drupal-6.33-release-notes>.

If you are unable to install the latest version of Drupal immediately, you can 
alternatively remove the xmlrpc.php file from the root of Drupal core (or add a rule to 
.htaccess to prevent access to xmlrpc.php) and disable the OpenID module. These steps are 
sufficient to mitigate the vulnerability in Drupal core if your site does not require the 
use of XML-RPC or OpenID functionality. However, this mitigation will not be effective if 
you are using a contributed module that exposes Drupal's XML-RPC API at a different URL 
(for example, the Services module); updating Drupal core is therefore strongly recommended.

*_Wordpress_*
http://wordpress.org/news/2014/08/wordpress-3-9-2/

Further info:
http://thehackernews.com/2014/08/millions-of-wordpress-and-drupal.html
*_
_*

------

Sincerely,

Michael Klatsky --- TNR Global, LLC
VP-Systems
http://www.tnrglobal.com <http://www.tnrglobal.com/>
PO Box 550, Greenfield, MA 01302
michaelk at tnrglobal.com <mailto:michaelk at tnrglobal.com>

No virus found in this message.
Checked by AVG - www.avg.com <http://www.avg.com>
Version: 2014.0.4744 / Virus Database: 4007/8002 - Release Date: 08/08/14

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20140808/b8e56ee5/attachment-0001.html

Previous message: [Hidden-tech] Global changes on HTML website?
Next message: [Hidden-tech] NERDSummit Call for Proposals ends in one week!
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Hidden-discuss mailing list