AOH :: ISNQ6383.HTM

Drupal clarifies security rules after White-House gaper

Drupal clarifies security rules after White-House gaper
Drupal clarifies security rules after White-House gaper


http://www.theregister.co.uk/2010/06/10/drupal_security_changes/ 

By Gavin Clarke 
The Register
10th June 2010

Webmasters running unfinished modules for Drupal do so at their own risk 
after the open-source CMS updated its guidelines on fixing security 
vulnerabilities.

The project has updated the wording on its security site on how it 
handles security fixes to clarify it will only work on vulnerabilities 
in completed code of modules that comprise the CMS. The change clarifies 
that modules in release-candidate mode will not be supported.

Drupal will work with maintainers of modules that are code complete, 
with maintainers now given a deadline to fix the problem. If the 
deadline's missed, the module and the project will be unpublished from 
Drupal.org. Vulnerabilities in unfinished code will simply be flagged in 
the module's issue queue.

The clarifications are a response to the discovery of a potentially 
serious XSS hole in the Drupal Context module three weeks after White 
House developers proudly released their own plug-in based on the buggy 
module.

[...]


_________________________________________________________________
Attend Black Hat USA 2010, hosted at Caesars Palace in Las Vegas, Nevada
July 24-29th, offering over 60 training sessions and 11 tracks of Briefings
from security industry elite. To sign up visit http://www.blackhat.com

Site design & layout copyright © 1986- CodeGods