See RESTful - Less Critical - Access bypass - SA-CONTRIB-2015-167
See Mollom - Critical - Access bypass - SA-CONTRIB-2015-168
See Values - Critical - Arbitrary PHP code execution - SA-CONTRIB-2015-172
Use ctools permission 'Use CTools importer' for values set imports
This release contains only a security update (see The eXtensible Catalog (XC) Drupal Toolkit - Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-121 for details).
Encrypt - Moderately Critical - Weak Encryption - SA-CONTRIB-2015-166
This release makes the following changes to encryption methods and key providers that are included in the project:
Removed the "Basic" (default) encryption method
This method has been deprecated and removed from the list of available methods, though it remains available for decrypting existing data.
In addition to the news page and sub-tabs, all security announcements are posted to an email list. To subscribe to email: log in, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab.
You can also get rss feeds for core, contrib, or public service announcements or follow @drupalsecurity on Twitter.
In order to report a security issue, or to learn more about the security team, please see the Security team handbook page.
If you are a Drupal developer, please read the handbook section on Writing secure code.
Drupal is a registered trademark of Dries Buytaert.