Gang,
I'm a bit confused by the wording regarding the latest security upgrade to core. Usually these announcements are pretty explicit about what situations make you vulnerable and which situations are not vulnerable.
It would seem, by deduction, that a Drupal install running an any server software other than Windows is *not *vulnerable. Can someone verify that?
I'll certainly upgrade my sites, given how many bug fixes are also included... but I'd like a better handle on the urgency of things.
Shai
If you look at the patch http://drupal.org/files/sa-core-2009-003/SA-CORE-2009-003-6.9.patchyou can see it's just adding one single line $arg = str_replace(array('/', '\', '\0'), '', $arg); to theme.inc for Drupal 6.9.
So if you have no immediate time to really do a full upgrade all your sites right now, its very quick and easy to just add that little line for the moment and feel safe.
Greetings,
Hans
2009/2/26 Shai Gluskin shai@content2zero.com
Gang,
I'm a bit confused by the wording regarding the latest security upgrade to core. Usually these announcements are pretty explicit about what situations make you vulnerable and which situations are not vulnerable.
It would seem, by deduction, that a Drupal install running an any server software other than Windows is *not *vulnerable. Can someone verify that?
I'll certainly upgrade my sites, given how many bug fixes are also included... but I'd like a better handle on the urgency of things.
Shai
-- [ Drupal support list | http://lists.drupal.org/ ]
-
KOBA | Hans Rossel -
Shai Gluskin