Are we going to experience another Drupalgeddon?
Back in October 2014, just hours after SA-CORE-2014-005 was released, millions of Drupal sites were hacked. This left site owners, agencies and developers with the tedious and expensive task of cleaning the mess left behind the SQL injection.
Today, 22nd March, the Drupal Security Team has released an important announcement: a highly critical security vulnerability has been found in Drupal 7.x, 8.3.x, 8.4.x and 8.5.x. A security release will be released on March 28th between 18:00 – 19:30 UTC – that’s 5:00 – 6.30 AEST.
“Team urges you to reserve time for core updates at that time because exploits /might/ be developed within hours or days.”
The fact that an announcement has been released a week ahead, it means it’s a big one. Use this week to get your websites ready to receive the security update and prepare for it.
Don’t delay, you’ve been warned!
How to prepare?
I am a Marameo Design customer
Most of our customers are on our Support Plan. This means their site is already running the latest Drupal core and modules, and they will receive the security update within 4hrs of release. Easy.
I have a Support Plan with another agency
That’s great. This means you should have received some communication about this important update and you should be running the latest Drupal core and modules. Just to make sure, send them an email and make sure it’s all good and they are ready to install the security update next Thursday from 6.30am.
I don’t have a Support Plan
First off, you need to check the status of your current installation. Are you running Drupal 7? Drupal 8? Login to your site with an administrator user, and go to the Module page. Make sure you have enabled the “Update Manager” module and then go to /admin/modules/update.
Here you will find a list of modules and which Drupal core version you are using. You should be on Drupal 7.57 or Drupal 8.5.0
Update your Drupal site to the latest version of core and install all security updates available for contrib modules. The update process isn’t too straightforward if you never have done it, but here’s a guide for updating Drupal 7 and updating Drupal 8
You want to have an up-to-date installation before Thursday 28th March.
Conclusions
While we hope this security update won’t affect the Drupal ecosystem like Drupalgeddon did a few years ago, let’s do the right thing and update your Drupal installation, pronto.