Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Hello,
We're using a 6.x version of remember_me
and I'm wondering whether the "known" security issue in the 7.x version is also present in the 6.x version. See SA-CONTRIB-2017-025. I have a hard time determining whether I need to uninstall the 6.x version at all cost, or if I can patch whatever security issue there is.
Does anyone in here know whether the 6.x version is affected and/or what the security is exactly?
Comment | File | Size | Author |
---|---|---|---|
#6 | SA-CONTRIB-2017-025.patch | 2.37 KB | dsnopek |
Comments
Comment #2
dsnopekGenerally, the security team doesn't release the details of a vulnerability that got a module unsupported until at least 2 weeks after the SA is published. That would mean this upcoming Wednesday at the earliest.
Comment #3
decafdennis CreditAttribution: decafdennis commentedThat's good to know, thank you. Do you know if they will update the SA, or publish it as a project issue, or...?
Comment #4
dsnopekThis is still being discussed privately (I'm on the security team :-)). Ideally, someone will step up as new maintainer and release a fixed version for D7! That will be the best way to disclose what the vulnerability is. But if that doesn't happen, then it could end up as a public issue.
Comment #5
decafdennis CreditAttribution: decafdennis commented@dsnopek Makes sense. I'd pick up maintenance but I don't use or work with D7 or D8 (yet). I'll keep tracking this issue.
Comment #6
dsnopekSorry for taking so long to come back to this! Here's a D6 patch that fixes the same security issue.
Comment #7
dsnopekPatch committed to repo!