The Drupal project has released version 4.6.3 of its open-source content management platform. Drupal 4.6.3 is a maintenance release that fixes problems reported using the bug tracking system. Drupal 4.6.3 also fixes a NEW SECURITY VULNERABILITY which was discovered in the third-party XML-RPC library Drupal uses. An attacker could execute arbitrary PHP code on a target site.
Upgrading your existing Drupal sites is highly recommended. As the same bugs are also present in the Drupal 4.5 series, Drupal 4.5.5 is released as well.
For detailed information about this release and the security vulnerability, please consult the release announcement at http:// drupal.org/drupal-4.6.3 and read the DRUPAL-SA-2005-004 security advisory at http://drupal.org/files/sa-2005-004/advisory.txt.
Kudos to all Drupal contributors who helped to get these releases out,
-- Dries Buytaert :: http://www.buytaert.net/
On Aug 14, 2005, at 10:08 PM, Dries Buytaert wrote:
The Drupal project has released version 4.6.3 of its open-source content management platform. Drupal 4.6.3 is a maintenance release that fixes problems reported using the bug tracking system. Drupal 4.6.3 also fixes a NEW SECURITY VULNERABILITY which was discovered in the third-party XML-RPC library Drupal uses. An attacker could execute arbitrary PHP code on a target site.
Upgrading your existing Drupal sites is highly recommended. As the same bugs are also present in the Drupal 4.5 series, Drupal 4.5.5 is released as well.
For detailed information about this release and the security vulnerability, please consult the release announcement at http:// drupal.org/drupal-4.6.3 and read the DRUPAL-SA-2005-004 security advisory at http://drupal.org/files/sa-2005-004/advisory.txt.
Kudos to all Drupal contributors who helped to get these releases out,
-- Dries Buytaert :: http://www.buytaert.net/
Being a newbie with Drupal. How do I apply the 4.6.2 -> 4.6.3 patch?
Peter,
you can find instructions here:
http://drupal.org/drupal-4.6.3
Cheers, Emiliano.
On Sunday 14 August 2005 23:20, Peter Apockotos wrote:
On Aug 14, 2005, at 10:08 PM, Dries Buytaert wrote:
The Drupal project has released version 4.6.3 of its open-source
...
Being a newbie with Drupal. How do I apply the 4.6.2 -> 4.6.3 patch?
On Aug 14, 2005, at 10:30 PM, Emiliano wrote:
Peter,
you can find instructions here:
http://drupal.org/drupal-4.6.3
Cheers, Emiliano.
On Sunday 14 August 2005 23:20, Peter Apockotos wrote:
On Aug 14, 2005, at 10:08 PM, Dries Buytaert wrote:
The Drupal project has released version 4.6.3 of its open-source
...
Being a newbie with Drupal. How do I apply the 4.6.2 -> 4.6.3 patch?
I did read that. The patch just looks like a diff of the changes. Do I hand correct it? Or do I just download the entire 4.6.3 version and replace the affected items?
Peter Apockotos: http://www.apockotos.com http://www.macmariner.com http://www.knightrider.org
Hi,
see http://drupal.org/diffandpatch for how to apply the patch.
Gordon.
On Sun, 2005-08-14 at 22:39 -0400, Peter Apockotos wrote:
On Aug 14, 2005, at 10:30 PM, Emiliano wrote:
Peter,
you can find instructions here:
http://drupal.org/drupal-4.6.3
Cheers, Emiliano.
On Sunday 14 August 2005 23:20, Peter Apockotos wrote:
On Aug 14, 2005, at 10:08 PM, Dries Buytaert wrote:
The Drupal project has released version 4.6.3 of its open-source
...
Being a newbie with Drupal. How do I apply the 4.6.2 -> 4.6.3 patch?
I did read that. The patch just looks like a diff of the changes. Do I hand correct it? Or do I just download the entire 4.6.3 version and replace the affected items?
Peter Apockotos: http://www.apockotos.com http://www.macmariner.com http://www.knightrider.org
On Aug 14, 2005, at 11:17 PM, Gordon Heydon wrote:
Hi,
see http://drupal.org/diffandpatch for how to apply the patch.
Gordon.
Thank you Gordon.
Peter Apockotos: http://www.apockotos.com http://www.macmariner.com http://www.knightrider.org
On Aug 14, 2005, at 11:17 PM, Gordon Heydon wrote:
Hi,
see http://drupal.org/diffandpatch for how to apply the patch.
Gordon.
I uploaded the patch and did this patch -p0 -u < xmlrpc-4.6.2.patch in the shell. Everything looks good! That was fast!
Thanks again!
Peter Apockotos http://www.apockotos.com http://www.knightrider.org http://www.macmariner.com
One of my sites has been hacked several times so I need to upgrade to get the security fix. My hosting company uses Fantasico CPanel which does not yet offer 4.63 for auto upgarde. How would I go about doing this manually?
Rob
----- Original Message ----- From: "Emiliano" emiliano@novayork.com To: drupal-support@drupal.org Sent: Sunday, August 14, 2005 9:30 PM Subject: Re: [drupal-support] Drupal 4.6.3 released (security alert)
Peter,
you can find instructions here:
http://drupal.org/drupal-4.6.3
Cheers, Emiliano.
On Sunday 14 August 2005 23:20, Peter Apockotos wrote:
On Aug 14, 2005, at 10:08 PM, Dries Buytaert wrote:
The Drupal project has released version 4.6.3 of its open-source
...
Being a newbie with Drupal. How do I apply the 4.6.2 -> 4.6.3 patch?
-- [ Drupal support list | http://lists.drupal.org/ ]
* Rob [2005-08-15 12:44]:
One of my sites has been hacked several times so I need to upgrade to get the security fix. My hosting company uses Fantasico CPanel which does not yet offer 4.63 for auto upgarde. How would I go about doing this manually?
I'd suggest just ripping out (deleting) the xmlrpc.php file (as one of the listed options says).
I got screwed on the last huge hole in that library and now delete the file ASAP on any new setups...
What does the xmlrpc.php file do anyway? What Drupal functionality is lost when you delete that file.
Regards,
Dan ================================================= Dan Romanchik, Web Developer & Blogger 734-930-6564, kb6nu@w8pgw.org Read my ham radio blog at http://www.kb6nu.com
Todd Grimason wrote:
- Rob [2005-08-15 12:44]:
One of my sites has been hacked several times so I need to upgrade to get the security fix. My hosting company uses Fantasico CPanel which does not yet offer 4.63 for auto upgarde. How would I go about doing this manually?
I'd suggest just ripping out (deleting) the xmlrpc.php file (as one of the listed options says).
I got screwed on the last huge hole in that library and now delete the file ASAP on any new setups...
* Dan Romanchik [2005-08-15 19:27]:
What does the xmlrpc.php file do anyway? What Drupal functionality is lost when you delete that file.
AFAIK only desktop clients use it - things like ecto and so on, primarily/originally for posting remotely to weblogs. Perhaps some other services take advantage of it now, I'm not sure. Perhaps thinks like Flickr which have some sort of cross-platform posting or something..
Using a remote posting tool was one of the main reasons I picked Drupal. I use BlogJet and can post entries in just a few seconds which saves me a lot of time. If the file is deleted will that prevent me from ever using remote applications again?
Rob
----- Original Message ----- From: "Todd Grimason" todd@slack.net To: drupal-support@drupal.org Sent: Monday, August 15, 2005 7:17 PM Subject: Re: [drupal-support] Drupal 4.6.3 released (security alert)
- Dan Romanchik [2005-08-15 19:27]:
What does the xmlrpc.php file do anyway? What Drupal functionality is lost when you delete that file.
AFAIK only desktop clients use it - things like ecto and so on, primarily/originally for posting remotely to weblogs. Perhaps some other services take advantage of it now, I'm not sure. Perhaps thinks like Flickr which have some sort of cross-platform posting or something..
--
toddgrimason*todd[ at ]slack.net
-- [ Drupal support list | http://lists.drupal.org/ ]
Rob wrote:
Using a remote posting tool was one of the main reasons I picked Drupal. I use BlogJet and can post entries in just a few seconds which saves me a lot of time. If the file is deleted will that prevent me from ever using remote applications again?
Rob
Thats right, to overcome this situation, you can restrict access to this xmlrcp.php to serve your IP (network) only. But i'm not sure how to do that, since i don't know how this xmlrpc works.
Thanks Aris
See http://www.petersblog.org/node/518 for details on how to restrict access to xml-rpc.php by ip address using .htaccess
AF
On 8/16/05, risiyanto budi risiyanto@budi.or.id wrote:
Rob wrote:
Using a remote posting tool was one of the main reasons I picked Drupal. I use BlogJet and can post entries in just a few seconds which saves me a lot of time. If the file is deleted will that prevent me from ever using remote applications again?
Rob
Thats right, to overcome this situation, you can restrict access to this xmlrcp.php to serve your IP (network) only. But i'm not sure how to do that, since i don't know how this xmlrpc works.
Thanks Aris
-- [ Drupal support list | http://lists.drupal.org/ ]
Sorry, Rob. I just found your message buried in the drupal folder.
You should be able to download it into the same directory that is the root of the Drupal install now using wget. The url for downloading is:
http://drupal.org/files/projects/drupal-4.6.3.tar.gz
I haven't read the notes on this, but I don't think there are any database schema changes. As long as that's the case, you should be able to follow the directions on the INSTALL.txt (which you may want to untar separately).
We probably want to tarball the existing site and do a database dump first. I did the same on our site the other day and restored on my laptop seamlessly.
Dennis
Rob wrote:
One of my sites has been hacked several times so I need to upgrade to get the security fix. My hosting company uses Fantasico CPanel which does not yet offer 4.63 for auto upgarde. How would I go about doing this manually?
Rob
----- Original Message ----- From: "Emiliano" emiliano@novayork.com To: drupal-support@drupal.org Sent: Sunday, August 14, 2005 9:30 PM Subject: Re: [drupal-support] Drupal 4.6.3 released (security alert)
Peter,
you can find instructions here:
http://drupal.org/drupal-4.6.3
Cheers, Emiliano.
On Sunday 14 August 2005 23:20, Peter Apockotos wrote:
On Aug 14, 2005, at 10:08 PM, Dries Buytaert wrote:
The Drupal project has released version 4.6.3 of its open-source
...
Being a newbie with Drupal. How do I apply the 4.6.2 -> 4.6.3 patch?
-- [ Drupal support list | http://lists.drupal.org/ ]
I am trying to figure out how to add a second administrator and cannot find a way to do that. It does not explain how in any of the help sections I could find.
Rob
I am trying to figure out how to add a second administrator and cannot find a way to do that. It does not explain how in any of the help sections I could find.
Rob,
I don't know if this is the best way, but what I do is create a new role called 'admin' or 'super user' (go to 'administer/access control' and select the 'roles' tab) and then grant that role privileges (the 'administer/access control/permissions tab) to administer some or all of the site. Then enable that role for any users who should have admin privileges.
--Eric Crump
Erics solution is IMO the best practice. In fact, I (and other drupal developers) encourage this, and often advice people to not use superuser at all.
On Sat, Oct 15, 2005 at 01:03:04PM -0500, Eric Crump wrote:
I am trying to figure out how to add a second administrator and cannot find a way to do that. It does not explain how in any of the help sections I could find.
Rob,
I don't know if this is the best way, but what I do is create a new role called 'admin' or 'super user' (go to 'administer/access control' and select the 'roles' tab) and then grant that role privileges (the 'administer/access control/permissions tab) to administer some or all of the site. Then enable that role for any users who should have admin privileges.
--Eric Crump
-- [ Drupal support list | http://lists.drupal.org/ ]
I agree. I also create a role with the exact same name as mentioned: 'super user'. Perhaps I should rename it to 'admin. But that is the best way to go. Perhaps put this in the Drupal FAQ somewhere? I can see where people switching from other systems that have an 'admin' check-box or role could be confusing. The only draw back is that as you add modules, you'll have to grant that 'admin' role access to them. I could be wrong on this.
- Earnest
-----Original Message----- From: drupal-support-bounces@drupal.org [mailto:drupal-support-bounces@drupal.org] On Behalf Of Bèr Kessels Sent: Sunday, October 16, 2005 7:11 AM To: drupal-support@drupal.org Subject: Re: [drupal-support] How do add Second Administrator?
Erics solution is IMO the best practice. In fact, I (and other drupal developers) encourage this, and often advice people to not use superuser at all.
On Sat, Oct 15, 2005 at 01:03:04PM -0500, Eric Crump wrote:
I am trying to figure out how to add a second administrator and cannot find a way to do that. It does not explain how in any of the help sections I could find.
Rob,
I don't know if this is the best way, but what I do is create a new role called 'admin' or 'super user' (go to 'administer/access control' and select the 'roles' tab) and then grant that role privileges (the 'administer/access control/permissions tab) to administer some or all of the site. Then enable that role for any users who should have admin privileges.
--Eric Crump
-- [ Drupal support list | http://lists.drupal.org/ ]
I've just added a couple of modules in 4.6.3 and yes you would have to grant any "admin" role (I call mine "administrator" )access to them. Out of interest though - are there any actual problems with using the in-built super-user/owner/user 0 functionality? Or is it just that you can only have one of them when you can have several users assigned the "administrator" role?
David Gibbens Exeter, UK +44 1392 477735
-----Original Message----- From: drupal-support-bounces@drupal.org [mailto:drupal-support-bounces@drupal.org]On Behalf Of Earnest Berry Sent: 16 October 2005 17:07 To: drupal-support@drupal.org Subject: RE: [drupal-support] How do add Second Administrator?
I agree. I also create a role with the exact same name as mentioned: 'super user'. Perhaps I should rename it to 'admin. But that is the best way to go. Perhaps put this in the Drupal FAQ somewhere? I can see where people switching from other systems that have an 'admin' check-box or role could be confusing. The only draw back is that as you add modules, you'll have to grant that 'admin' role access to them. I could be wrong on this.
- Earnest
-----Original Message----- From: drupal-support-bounces@drupal.org [mailto:drupal-support-bounces@drupal.org] On Behalf Of Bèr Kessels Sent: Sunday, October 16, 2005 7:11 AM To: drupal-support@drupal.org Subject: Re: [drupal-support] How do add Second Administrator?
Erics solution is IMO the best practice. In fact, I (and other drupal developers) encourage this, and often advice people to not use superuser at all.
On Sat, Oct 15, 2005 at 01:03:04PM -0500, Eric Crump wrote:
I am trying to figure out how to add a second administrator and cannot find a way to do that. It does not explain how in any of the help sections I could find.
Rob,
I don't know if this is the best way, but what I do is create a new role called 'admin' or 'super user' (go to 'administer/access control' and select the 'roles' tab) and then grant that role privileges (the 'administer/access control/permissions tab) to administer some or all of the site. Then enable that role for any users who should have admin privileges.
--Eric Crump
-- [ Drupal support list | http://lists.drupal.org/ ]
-- [ Drupal support list | http://lists.drupal.org/ ]
-- [ Drupal support list | http://lists.drupal.org/ ]
___________________________________________________________ How much free photo storage do you get? Store your holiday snaps for FREE with Yahoo! Photos http://uk.photos.yahoo.com
-
Aidan Finn -
B�r Kessels -
Dan Romanchik -
David Gibbens -
Dennis Bennett -
Dries Buytaert -
Earnest Berry -
Emiliano -
Eric Crump -
Gordon Heydon -
Peter Apockotos -
risiyanto budi -
Rob -
Todd Grimason