Yesterday we told you that today, July 13th, it was very important to be on the lookout for security updates to contributed modules that the Drupal security team would announce as they correct a highly critical vulnerability.
You may wonder why, if Drupal is considered so secure, patches of this style can appear that require taking time to apply them as soon as possible? Well, this is precisely because Drupal takes its security very seriously and has a very proactive that carries out constant tests that in many cases can also originate from a company that also works with Drupal, this is the nature of the collective intelligence that generates an open source community, there are thousands of experts who interact with Drupal daily doing so every day better and as in this case, safer.
What happens if I don't update?
Your site will not stop working, however, there will be the latent possibility of a hack where in many cases they do not seek to damage the site but rather plant back doors to silently exploit access to information and where you may not realize it until it is too late.
Due to a vulnerability similar to this one and not having an update policy aligned with the security team's announcements, the famous Panama Papers case occurred.
What are the modules to update?
- Coder: https://www.drupal.org/node/2765575
- RESTful Webservicces: https://www.drupal.org/node/2765567
- Webform Multiple File Upload: https://www.drupal.org/node/2765573
In the particular case of the Coder module, it is not necessary for it to be enabled for the vulnerability to be exploited, it is enough for it to be available in the docroot.
If you require support in your update process, you can contact us to acquire support for a pool of specialized hours.
Please remember that it is very important to keep both the core and contributed modules updated with the latest security patches.