[Security-news] PSA-2010-001: Policy on release versions and permissions
security-news at drupal.org
security-news at drupal.org
Thu May 13 21:33:02 UTC 2010
* Advisory ID: PSA-2010-001
* Project: Drupal core and contrib
* Versions: 5.x and 6.x and above
* Date: 2010-May-13
* Security risk: None
-------- DESCRIPTION
---------------------------------------------------------
This is a public service announcement regarding Drupal Security Team
policies. In a previous PSA [1] we stated that vulnerabilities in modules
which require the "administer content types" permission to be exploited would
not receive an official security release with a security advisory (SA) and
would be handled publicly much like the way the "administer site
configuration" permission was treated. We now maintain a list of permissions
that are treated similarly at Security advisories process and permissions
policy [2]. That page also clarifies which projects (modules, themes, and
distributions) on drupal.org receive SAs and includes only projects that have
an official release that is identified as "Y.x-Z.0" and not for projects in
beta, alpha, or even release candidate (RC) stage. This means that a security
vulnerability in a 6.x-1.0 or 6.x-2.2 release will receive a SA while a
6.x-1.0-beta10 or 6.x-2.0-RC3 will not receive a SA. A project maintainer may
use the "Security update" term to indicate a release that includes security
improvements even if there is no SA, but they are not required to do so.
Using the "Security update" term will trigger the Update module in Drupal
6.x+ core to alert site maintainers to update their site. The goal with this
policy is to ensure that official security releases with SAs are relevant and
receive appropriate attention, to allow maintainers to readily fix problems
when their project is still in active development, and to permit effective
channels of communication between the maintainers and users of a project.
-------- SOLUTION
------------------------------------------------------------
Only grant the most trusted site administrators the permissions listed on the
Security advisories process and permissions policy [3] page. Be aware that
projects on drupal.org will not receive an SA and security vulnerabilities
will not be kept private until a project reaches an official release
"Y.x-Z.0" status. You are encouraged to use only "Y.x-Z.0" projects for your
sites, and to contribute to or sponsor work on projects you use so that they
can reach an official release.
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal [4] can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://drupal.org/node/372836
[2] http://drupal.org/security-advisory-policy
[3] http://drupal.org/security-advisory-policy
[4] http://drupal.org/security-team
More information about the Security-news
mailing list