As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules – but the Drupal 6 LTS vendors are and we’re one of them!
Today, there is a Critical security release for Drupal core to fix multiple vulnerabilities. You can learn more in the security advisory:
The following vulnerabilities mentioned in the security advisory also affect Drupal 6:
External URL injection through URL aliases – Moderately Critical – Open Redirect
Injection in DefaultMailSystem::mail() – Critical – Remote Code Execution
The first vulnerability is in Drupal 6 core, however, the 2nd is only present in the contrib modules: htmlmail, and mimemail. If you don’t use those modules, you’re not affected by the 2nd vulnerability.
- Here you can download the Drupal 6 patch to fix, or a full release ZIP or TAR.GZ.
- And here’s the mimemail patch, or a full release.
- And here’s the htmlmail patch, or full release.
If you have a Drupal 6 site, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. 🙂
If you’d like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they’re released, please check out our D6LTS plans.
Note: if you use the myDropWizard module (totally free!), you’ll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won’t necessarily have a release on Drupal.org).