Security Updating

book posted by lxpk Wed, 2006-10-18 17:24

It is essential to stay current with the latest security updates to defend against emerging vulnerabilities before you risk becoming compromised.

There are basically two steps to security updating: awareness and response.

Awareness: Knowing About Updates

You should subscribe to the security mailing lists for any software you use. This includes Drupal and lists like Bugtraq.

Response: Installing Updates

When updates are released, you need to install them quickly but also carefully. Few exploits can crash a server as skillfully as an inept system administrator applying patches in a panic.

Security Updating Examples

EmpowerThyself.com's admin lxpk received the following email:

-----------DRUPAL CORE - CROSS SITE REQUEST FORGERIES------------
* Advisory ID: DRUPAL-SA-2006-025
* Project: Drupal core
* Date: 2006-Oct-18
* Security risk: Highly critical
* Exploitable from: Remote
* Vulnerability: Cross site request forgeries
------------DESCRIPTION------------
Visiting a specially crafted page, anywhere on the web, may allow that page to
post forms to a Drupal site in the context of the visitor's session. To
illustrate; suppose one has an active user 1 session, the most powerful
administrator account for a site, to a Drupal site while visiting a website
created by an attacker. This website will now be able to submit any form to the
Drupal site with the privileges of user 1, either by enticing the user to submit
a form or by automated means.
An attacker can exploit this vulnerability by changing passwords, posting PHP
code or creating new users, for example. The attack is only limited by the
privileges of the session it executes in.
------------VERSIONS AFFECTED------------
* Drupal 4.6.x versions before Drupal 4.6.10
* Drupal 4.7.x versions before Drupal 4.7.4
------------SOLUTION------------
* If you are running Drupal 4.6.x then upgrade to Drupal 4.6.10
[http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz].
* If you are running Drupal 4.7.x then upgrade to Drupal 4.7.4
[http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.4.tar.gz].
* To patch Drupal 4.6.9 use http://drupal.org/files/sa-2006-025/4.6.9.patch
[http://drupal.org//files/sa-2006-025/4.6.9.patch].
* To patch Drupal 4.7.3 use http://drupal.org/files/sa-2006-025/4.7.3.patch
[http://drupal.org//files/sa-2006-025/4.7.3.patch].
Please note that the patches only contain changes related to this advisory, and
do not fix bugs that were solved in 4.6.10 or 4.7.4.

The warning answers a couple of simple questions:

Are we affected? Yes, we're running Drupal 4.7.3, we need to patch.
Is the risk high? Yes, the exploit is remote and dangerous. We need to hurry!
How do we patch? By installing Drupal 4.7.4.

Updating Utilities

Mac: VersionTracker Pro

VTP keeps your Mac application software updated and saves you time wasted hunting down individual updates.

Cost: $50/3 Macs

Linux: apt-get

Linux distributions like Ubuntu have package managers built in that make it easy to update and install new packages.

User login

Site Map