Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
As you probably all are aware of yesterday the security team made an announcement that next week there will be a highly critical issue released for D7+D8 (https://www.drupal.org/psa-2018-001)?
Do you know if this will also effects D6 and do you have a timeline when a patch for D6 could be backported?
Update: here's the link to the SA:
Comment | File | Size | Author |
---|---|---|---|
#63 | SA-CORE-2018-002-bugfix1.patch | 503 bytes | dsnopek |
#63 | SA-CORE-2018-002.patch | 2.5 KB | dsnopek |
Comments
Comment #2
dsnopekYes, this affects Drupal 6 too.
As always, we'll be publishing a fix shortly after the Drupal 7 & 8 security advisory is published.
The official D6LTS vendors have access to the private security team issue tracker, and have been working on this in private. So, we're not just starting from scratch when the announcement comes out, we'll have something ready in advance. :-)
Comment #3
O'Briat CreditAttribution: O'Briat commentedShall this issue should kept open until the patch is post in it ?
Comment #4
howdytom CreditAttribution: howdytom as a volunteer commentedYes, please keep it open.
Comment #5
C-LogemannThis Issue was about the Question if there will be a D6LTS patch for related PSA. This Question was answered and is now in correct status "fixed".
But I think it's not helpful to open too much issues and so I rename and open again.
Comment #6
mrtwo87 CreditAttribution: mrtwo87 commentedWill the patch be available here, or where would we go to find it for D6?
Thanks!
Comment #7
dsnopekYes, the patch will be published in this issue queue (and committed to the Git repo for this project) as well as distributed by the individual D6LTS vendors in their own way.
For example, myDropWizard will also publish on it's blog, make a full D6 release, and update the data used by the mydropwizard module. Tag1 has its own channels for getting patches out as well. Hopefully, with all that we'll be able to make sure everyone knows where to get it! :-)
Comment #8
tobi20 CreditAttribution: tobi20 commentedWill there also be a patch for pressflow 6? Will it be available here?
Comment #9
mikebrooks CreditAttribution: mikebrooks at SNP Technologies, Inc. commented@tobi20, for Pressflow 6, I follow https://github.com/pressflow/6/issues. If no patch is posted there, I intend to apply the patch posted to this issue queue.
Comment #10
dsnopekSpeaking for myDropWizard, we have several clients on Pressflow, and we intend to make a PR on the Pressflow GitHub project as well (like we did for the last Drupal 6 core security update - see https://github.com/pressflow/6/pull/112)
Comment #11
mparker17@dsnopek, I'm a maintainer of pressflow/7 and appear to have commit access to pressflow/6 as well. Tag me on the PR and I'll review and merge as soon as I am able (my github username is the same as my drupal.org username)
Comment #12
dsnopek@mparker17: Thanks, will do!
Comment #13
hanoiiI know it's a long shot question, but do you know if this will affect older drupal version. I happen to still maintain a few D5 files and one ore two D4.6 sites :scream:
Comment #14
fgmI have a D5 site still online and plan on porting the D6 patch if applicable once my customer and own D8/D7/PF6 sites are fixed, probably tomorrow. Assuming no one does it earlier.
Comment #15
estoyausentePressflow issue is already created here:
https://github.com/pressflow/6/issues/114
I hope it is updated as soon as possible when the other patch is released.
Comment #16
actionmedres CreditAttribution: actionmedres commentedHi,
I maintain Drupal 6 websites. Does anyone have any idea of the time the Drupal 6 patch will be released this evening?
Thanks
Comment #17
Jeremy CreditAttribution: Jeremy at Tag1 Consulting commentedThe intent is to release the D6 patch immediately following the release of the D7/D8 patches. Thus, during the same time window as is documented in PSA-2018-001.
Thanks to subscribers of Tag1 Quo and myDropWizard for paying for the extensive back porting and testing efforts! All versions of the patches will be made available to everyone at the same time.
Comment #18
dsnopekRenaming issue to prepare for when actual SA is out! (Release window is still 45 minutes away)
Comment #19
dsnopekHere's the patch! I'll commit it to the repo in a moment.
Comment #20
Jon PughApplied nicely, THANK YOU!
Comment #21
MrAdamJohn CreditAttribution: MrAdamJohn commentedLoving the fact that this is out now for D6 - such a relief. ;)
We have applied to several test environments without issue and are proceeding with full scale rollout expeditiously.
Comment #22
thomas.fleming CreditAttribution: thomas.fleming at inRESONANCE commentedThank you!
Comment #23
dsnopekClosing :-)
Comment #24
kubrt CreditAttribution: kubrt commentedApplies nicely, thanks !
Comment #25
steeph CreditAttribution: steeph commentedThanks a lot!
Comment #26
Fernando Iglesias CreditAttribution: Fernando Iglesias commentedThanks guys, just want to add my 2 cents that this is applying cleanly to Pressflow 6. Stay safe out there.
Comment #27
katherinedThank you!
Comment #28
bwoods CreditAttribution: bwoods as a volunteer commentedAwesome job at getting this ready so quickly!
Comment #29
howdytom CreditAttribution: howdytom as a volunteer commentedThank you! Worked like a charm
Comment #30
hanoiiFor what it's worth, attached (and hidden from the patch view) is a D5 backported patch.
EDIT: I haven't tested with older PHP version, it works with PHP 5.6.
Comment #31
hanoiiComment #32
hanoiiComment #33
neurer CreditAttribution: neurer commentedExcellent work. Thank you.
Comment #34
nickw CreditAttribution: nickw commentedThank you very much!
Comment #35
HazaThanks for your work !
Comment #36
hanoiiAnd yes, thank you @dsnopek et all.
Comment #37
dietric@gmail.comGreat work, we're patching away!
Comment #38
manuel.adanI thank you too!
Comment #39
manuel.adanSorry, just F5 ;)
Comment #40
leofishman CreditAttribution: leofishman commentedThanks a lot!!
Comment #41
fgm@hanoii++
Comment #42
pauljb CreditAttribution: pauljb commentedThanks!
Comment #43
hirbys CreditAttribution: hirbys commentedMost appreciated. Thank you.
Comment #44
Roger-Ro CreditAttribution: Roger-Ro commentedUpdating via the mydropwizard module is still not possible. Do you know when it will be?
EDIT: "drush rf" before "drush up" solved this issue.
Comment #45
Ishino CreditAttribution: Ishino at Capgemini commentedTested and confirmed working. Thanks!
Comment #46
onehp88 CreditAttribution: onehp88 commentedThank you!
Comment #47
jwilson3@dsnopek Will the patch from #19 be added alongside the one for SA-CORE-2018-001?
I.e., here:
https://cgit.drupalcode.org/d6lts/plain/common/core/
Comment #48
MatthijsG CreditAttribution: MatthijsG commentedJust mentioning that you also can download a forked (?) Drupal 6 here
https://github.com/d6lts/drupal/releases/tag/6.42
Thanks to @dsnopek from Dropwizard
Comment #49
damontgomery CreditAttribution: damontgomery commentedI was able to update a d6 site with the mydropwizard module. You can check if the patch is applied by searching for "_drupal_bootstrap_sanitize_input" in "includes/bootstrap.inc".
I was able to use mydropwizard after upgrading to Drush 7.4.0 which was the latest version supported by PHP on the server the site is using. Drush 7.4.0 requires Composer which was compatible with that servers PHP version.
Thank you!
Comment #50
anschinsan CreditAttribution: anschinsan commentedThank you very, very much for this fast work!
Good night from Europe!
Comment #51
gngn CreditAttribution: gngn at Computer Manufaktur GmbH commentedThank you!
Comment #52
chinita7 CreditAttribution: chinita7 commentedThanks a lot!!
Comment #53
flickerfly CreditAttribution: flickerfly as a volunteer commentedThank you!
Comment #54
chrowe CreditAttribution: chrowe commentedComment #55
jimboh CreditAttribution: jimboh commentedThanks again.
Comment #56
MarcelloCerruti CreditAttribution: MarcelloCerruti commentedWhy the commit for the patch isn't listed here https://cgit.drupalcode.org/d6lts/ ?
Comment #57
ciss CreditAttribution: ciss as a volunteer commentedIt's a cgit caching issue. Try e.g. https://cgit.drupalcode.org/d6lts/tree/common/core?foo .
Comment #58
ciss CreditAttribution: ciss as a volunteer commented@chrowe the PSA is 001, the SA is 002.
Comment #59
NiklasBr CreditAttribution: NiklasBr commentedThank you for providing this patch!
Comment #60
dsnopekFor posterity, added the link to the SA to the issue summary.
Comment #61
tescometro CreditAttribution: tescometro commentedAll good and patched up. But...is there a test to show the patch is actually working? And the potential exploit denied?
Comment #62
ciss CreditAttribution: ciss as a volunteer commentedNot publicly. The tests are said to be published in about two months, to avoid lending exploit authors a hand.
Comment #63
dsnopekWe've gotten reports that the patch breaks certain features of OG. Here's a bug fix patch, and a new complete patch that includes both fixes! I'll commit them in a moment.
Comment #64
dsnopekCommitted! Sorry about that, Everyone!
Comment #65
jmev CreditAttribution: jmev commentedIs the OG bug fix patch included in the full release of 6.42 (https://github.com/d6lts/drupal/releases/tag/6.42), or is there a 6.43?
Also, I am having to update a very outdated D6 installation, still on 6.28. If I apply this patch first to that version (with plans to update complete core in the next week or 2), will there be any negative ramifications, and if so, what are they?
Comment #66
dsnopekThere's a 6.43:
https://github.com/d6lts/drupal/releases/tag/6.43
And for Pressflow too:
https://github.com/pressflow/6/releases/tag/pressflow-6.43.124
I don't think there will be any negative ramifications from applying the patch first then updating. However, I'd really recommend updating as soon as possible! If you're still on 6.28, you're missing a number of other security fixes as well.
Comment #67
howdytom CreditAttribution: howdytom as a volunteer commentedThank you. Excellent work. I've successfully updated to 6.43.
Comment #68
ff01 CreditAttribution: ff01 commentedIs there a simple way to check that the patch has been applied correctly and is actually working?
Comment #69
dsnopekTo check if it's working, you could add this to your settings.php:
And then visit your site with a URL like
http://www.example.com?%23test=true
It should log that the '#test' key was removed in your PHP logs.
Comment #70
tescometro CreditAttribution: tescometro commentedThanks for that test method. Worked for me, and great to confirm patch is actually installed properly
Thanks for everything here.
Comment #71
gregory100 CreditAttribution: gregory100 as a volunteer commentedProblems with D6.37 multisite and patched bootstrap.inc
I am running Drupal 6.37 multisite with 3 Websites.
After applying the patched bootstrap.inc from your 6.43-package (only uploading via ftp, no editing or drupal update.php activation) 1 of the 3 sites works fine, the other 2 not. They are showing just nothing. No html source, no 404, no other server error - nothing but an empty browser window. Never seen that before.
I dont think this is a Hack, because when i change to the original 6.37 bootstrap.inc the 2 sites are alive again. Back to the patched bootstrap.inc -> white space again ...
Is there an incompatibility with drupal 6.37 and bootstrap.inc from D6.43 ?
(Maybe this is all my fault, D6LTS was new to me since this highly critical issue. Thanks for your work.)
Comment #72
HansKuiters CreditAttribution: HansKuiters commented@gregory100: you could check your php error log on the webserver. Maybe that gives you (and us) a clou.
Comment #73
dsnopek@gregory100: I can't think of what the problem with Drupal 6.37 would be, but I'd highly recommend updating all of core to match myDropWizard's Drupal 6.43 (see https://github.com/d6lts/drupal/releases/tag/6.43) rather than just copying individual files. There were security vulnerabilities fixed in 6.38 and 6.39 too, and while none of those vulnerabilities is as bad as this most recent one, it'd be best not to be missing any security fixes.
Comment #74
gregory100 CreditAttribution: gregory100 as a volunteer commented@HansKuiters and @dsnopek
Thanks for your very fast response.
@HansKuiters
>> you could check your php error log on the webserver.
Done.
ongoing php 5.6 error-log-file
There are many Errors logged.
The most look like this:
[Mon Apr 02 21:24:36 2018] [-:error] [pid xxxxxx] [client xxxxxxxxxxxx] [host www.xxxxxxxxxxxxxxx.xxx] PHP Fatal error: Cannot redeclare menu_path_is_external() (previously declared in /is/htdocs/xxxxxxxxxxxxxxxxxxxxx/www/drupal6/includes/bootstrap.inc:1542) in /is/htdocs/xxxxxxxxxxxxxxxx/www/drupal6/includes/menu.inc on line 2475
Comment #75
dsnopekAh, ok. In Drupal 6.38 (release more than 2 years ago now!),
menu_path_is_external()
moved from includes/menu.inc to includes/bootstrap.inc. So, you could try also uploading includes/menu.inc, but I'd really, HIGHLY recommend updating ALL of core to Drupal 6.43 rather than continuing to copy individual files.Comment #76
HansKuiters CreditAttribution: HansKuiters commentedThat is for sure a problem. It seems to me that the function menu_path_is_external() has been moved from menu.inc to bootstrap.inc. So I back the advise from @dsnopek to update all core files to match 6.43
Edit: @dsnopek already answered ;-)
Comment #77
neallawson CreditAttribution: neallawson commentedI too was running Drupal 6.38. I downloaded and updated to 6.43, and when I try to install the patch (SA-CORE-2018-002.patch) I get a message that the patch is already installed. Does 6.43 include this patch? However I do not see includes/request-sanitizer.inc or a call to it in bootstrap.inc.
Comment #78
howdytom CreditAttribution: howdytom as a volunteer commented@ neallawson. Yes, Drupal 6.43 includes SA-CORE-2018-002.
https://github.com/d6lts/drupal/compare/6.42...6.x
Comment #79
neallawson CreditAttribution: neallawson commentedThank you, @howdytom! Much appreciated.
Comment #80
dsnopekrequest-sanitizer.inc was part of the Drupal 7 patch. The Drupal 6 implementation does the same thing, but doesn't have that file.
In any case, Drupal 6.43 is the latest D6LTS version and includes all security fixes so far!
Comment #81
neallawson CreditAttribution: neallawson commentedThanks, @dsnopek! Thank you very much for the patch and 6.43!
Comment #82
hanoiiIt's probably late as I hope that most Drupals were updated, but I founded this and I thing it's an useful piece of information in related to this issue, no just D6 to be aware of.
It's basically an attempt to do what the patch does but on a server level:
https://gist.github.com/SniperSister/96bbf89a579f763884ceb0b434d73b36
Comment #83
april26 CreditAttribution: april26 commentedThank you - I have been so worried about my old D6 clients!
Comment #84
jeetendrakumar CreditAttribution: jeetendrakumar as a volunteer and commentedHi @dsnopek
I am running Drupal 6.30. I have couple of question
1. Will it work for 6.30 version?
2. Will it (patch) fix the Vulnerability: Remote Code Execution (CVE-2018-7600)?
Thanks in Advance :)
Comment #85
NiklasBr CreditAttribution: NiklasBr commentedjeetendrakumar, I have no idea about your first question and I hope you have a really good reason to stay on 6.30 rather than updating to 6.43, you are missing out on many security fixes.
On your second question: SA-CORE-2018-002 is CVE-2018-7600, you can confirm this by following any of the two links in the issue summary.
Comment #86
dsnopek@jeetendrakumar since you mentioned me directly, I'll respond, but I agree completely with @NiklasBr. I suspect the patch will apply to 6.30 (although, I haven't tested it) but you'd be leaving yourself open to other security vulnerabilities that were fixed in other updates
Comment #87
jeetendrakumar CreditAttribution: jeetendrakumar as a volunteer and commentedHi @dsnopek
We have updated the Drupal version from 6.30 to 6.43 and our security team checked the SA-CORE-2018-002 vulnerability with this version via python script (Drupalgeddon2) and find that code is still vulnerable.
Comment #88
vishalkhialani CreditAttribution: vishalkhialani at Red Crackle commentedHi @jeetendrakumar ,
After reading your comment that the update might not be working against Drupalgeddon2, I thought I should double check with my sites.
So I looked into my servers and did not find any kind of pattern of being compromised.
I also ran a script exploit on one of our test servers and the exploit did not work.
Please share ( maybe directly with @dsnopek ) your use case as to when and how its breaking.
I am also available.
Thank you,
Vishal
Comment #89
dsnopek@jeetendrakumar Can you send me a message through my contact form with a link or the actual Python script that you're using? If they have an attack that works even with the patch, I'd really, really like to see it. All of the exploit scripts posted publicly that I have seen should be stopped by this patch.
Comment #90
cspitzlay@jeetendrakumar:
Just to point out the obvious: there are several things that can go wrong when updating ...
A broken deployment, or failure to restart a cache of the parsed PHP code if so configured
(apache for mod_php or php-fpm for fpm).
Is the updated version string reflected on your admin/reports/status page?
Comment #91
steeph CreditAttribution: steeph commenteddeleted (sorry, my mistake, got the versions mixed up in my head)
Comment #92
cspitzlay@steeph: In case you are referring to the things that can go wrong: 6.43 is supposed to contain the patch, isn't it?
Comment #93
steeph CreditAttribution: steeph commentedYes, that's what I meant. Realised it shortly after. Sorry
Comment #94
amccune CreditAttribution: amccune commentedHi
Will the 2018-004 critical core vulnerability also be patched through this program?
cheers
Adam
Comment #95
dsnopekAll Drupal core vulnerabilities that also affect Drupal 6 will have patches released in this project, yes.
Comment #96
rreiss CreditAttribution: rreiss commented@jeetendrakumar what you wrote doesn't male any sense to me.
1. The patch should block Drupalgeddon2 attacks assuming that your site was patched using the provided patch
2. Most of the crawlers (and maybe even all of those) are targeting D8 and D7, and although I didn't test the exploits on D6 I don't think that the D7 one will work ad it is (it will require some modifications).
@dsnopek If @jeetendrakumar will share the mentioned python script with you I'll be glad to help of you need some assistance.
* I was one of the three people group who wrote the original "uncovering Drupalgeddon2" blog post.
Comment #97
HansKuiters CreditAttribution: HansKuiters commented@amccune: do you mean 2018-003? That was announced today for this wednesday. Or is there a 2018-004 announced?
Comment #98
Arbelo CreditAttribution: Arbelo commentedThe latest announcement referenced SA-CORE-2018-004, but I think that was a typo. The URL for the annoucement has 003 in it:
https://www.drupal.org/psa-2018-003
But in the text, it has:
The CVE for this issue is CVE-2018-7602. The Drupal-specific identifier for the issue will be SA-CORE-2018-004.
Comment #99
hugovk CreditAttribution: hugovk at Digia commentedIt is public service announcement number three, PSA-2018-003, announcing core security fix number four, SA-CORE-2018-004.
SA-CORE-2018-003 was for CKEditor, which is only in core for 8.x.
Comment #100
jeetendrakumar CreditAttribution: jeetendrakumar as a volunteer and commentedThanks for quick response :)
Hi @dsnopek I have shared detail with you.
Comment #101
jeetendrakumar CreditAttribution: jeetendrakumar as a volunteer and commented@cspitzlay Yes it is reflecting on status page.
Comment #102
actionmedres CreditAttribution: actionmedres commentedI have read to believe that the SA-CORE-2018-003 would be for CKEditor and only for versions 7.x and 8.x?
Will there be a version 6.x release soon after?
Thanks
Comment #103
dsnopekThat is off-topic for this issue. In the future, please open a new issue!
However, to answer your question: SA-CORE-2018-003 is actually a vulnerability in the CKEditor library, and is only a Drupal issue because Drupal 8 bundles CKEditor. If you use a vulnerable version of the CKEditor library (versions 4.5.11 up to 4.9.1) then your site is vulnerable regardless of which Drupal version you are using (6, 7 or 8). We're not going to release a Drupal 6 patch for that - just check your CKEditor library version and update that if you need to!
Comment #104
dsnopek@jeetendrakumar: Thanks for sending the script!
To those following along here, I looked at the script and it appears to be written specifically for Drupal 8 sites. I believe it saying the site is vulnerable is a false positive because it doesn't know how to test for the Drupal 6 variant of this issue.
Comment #105
jeetendrakumar CreditAttribution: jeetendrakumar as a volunteer and commented@dsnopek Thanks for review :)
Comment #106
igorski CreditAttribution: igorski as a volunteer commentedI think everything about the original issue is more than covered here. Just for reference, I linked to the new issue for the upcoming patch.
Comment #107
hanoii@dsnopek
do you know already if the new SA will affect the patched D6?