Security updates for Drupal CMS
Versions 4.7.8 and 5.3 of Drupal resolve a number of security vulnerabilities in prior versions. The developers consider one flaw in the installer to be critical. If the SQL server that has been entered is not available, the installer asks the user for another server. This enables the user to smuggle his own code into the system. The developers suggest deleting install.php in the root directory of the installation as a quick workaround. Other vulnerabilities enable HTTP response splitting, cross site request forgery and cross site scripting.
Individual patches are available for all the vulnerabilities, but the Drupal team strongly recommends upgrading to 4.7.8 or 5.3 since they contain additional minor bug fixes. However, there are no new features in these upgrades.
- Drupal 4.7.8 and 5.3 released: Security updates and bugfixes, notification and updates from the vendor
(mba)