More on Drupal Exploits, The Patches, and Why Drupal.org is Down.

I wrote about the comment exploit in Drupal, and in searching for new information, was pointed at Webschuur.com's explanation for the Drupal site being down.

Maintenance. OK.

So tracking everything down, I found the patch for the comment exploit for those who need it (those not running Drupal 4.6.2). Follow the instructions in advisory.txt here.

For the XML RPC bug, follow the instructions in advisory.txt here. If you're running Drupal 4.6.2, again - don't worry about this one.

The lesson? Upgrade, upgrade, upgrade. *Especially* if you're running a business with Drupal.

However, I find it strange that I didn't know about the exploits except through friends and I didn't find out about the patches except by following the link from /dev/random. There's got to be a better way... but with Drupal.org down for maintenance at the time, there's no telling whether it would have been covered on the site or not. *sigh*

As it is, I have been covered since the errors came out - but it's better to be safe than sorry. Comments will be re-enabled after I post this entry.

I posted this a wee bit before Charlie pointed to the old entry...