If you look at the patch <a href="http://drupal.org/files/sa-core-2009-003/SA-CORE-2009-003-6.9.patch">http://drupal.org/files/sa-core-2009-003/SA-CORE-2009-003-6.9.patch</a><div>you can see it's just adding one single line $arg = str_replace(array('/', '\\', '\0'), '', $arg); to theme.inc for Drupal 6.9.</div>
<div><br></div><div>So if you have no immediate time to really do a full upgrade all your sites right now, its very quick and easy to just add that little line for the moment and feel safe. </div><div><br></div><div>Greetings, </div>
<div><br></div><div>Hans</div><div><br><br><div class="gmail_quote">2009/2/26 Shai Gluskin <span dir="ltr"><<a href="mailto:shai@content2zero.com">shai@content2zero.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Gang,<br><br>I'm a bit confused by the wording regarding the latest security upgrade to core. Usually these announcements are pretty explicit about what situations make you vulnerable and which situations are not vulnerable.<br>
<br>It would seem, by deduction, that a Drupal install running an any server software other than Windows is <i>not </i>vulnerable. Can someone verify that?<br><br>I'll certainly upgrade my sites, given how many bug fixes are also included... but I'd like a better handle on the urgency of things.<br>
<font color="#888888">
<br>Shai<br>
</font><br>--<br>
[ Drupal support list | <a href="http://lists.drupal.org/" target="_blank">http://lists.drupal.org/</a> ]<br></blockquote></div><br><br clear="all"><br>-- <br>Hans Rossel<br>KOBA Webdevelopment<br>Kerkstraat 228<br>9050 Gent<br>
09-334.52.60<br>0472-79.32.16<br><a href="http://www.koba.be">www.koba.be</a><br><a href="mailto:info@koba.be">info@koba.be</a><br>
</div>