Cruiskeen Consulting LLC

Drupal 6.31 and 7.27

New security releases of Drupal came out yesterday.  We are in the process of upgrading the sites that we have under maintenance contracts. This wil take a few days to get through all of the different sites. This is only a moderately concerning update and will only affect some sites depending on how they are configured.  In particular, this is likely to only affect sites that use multi-step or ajax forms that are exposed to anonymous users.  We will attempt to work our way through sites in the order of how vulnerable we believe they wil be to this bug.

Heartbleed Security Flaw

Many of you have undoubtedly been reading about the Hearbleed security issue with OpenSSL. Some of our servers were vulnerable to Heartbleed - notably our CentOS 6 servers.  The ones running CentOS 5 were not vulnerable because they are based on an older version of OpenSSL.  We upgraded the OpenSSL library on all of our vulnerable servers as soon as a patched version was available, and none of our servers are now vulnerable to this exploit.  We have re-keyed the secure certificates for our clients who were under maintenance contracts.  We would recommend that everyone go out and update your passwords on any web-based systems that may have been vulnerable to this exploit, including logins for email accounts.  If you are having any trouble with this on our systems, please let us know.

Please note that the administrative panel logins on our servers were not vulnerable to this exploit - but your logins through SSL on your own web sites were, possibly.  In any case, rotating passwords occasionally is always a good policy, and we would also recommend (as the Internet gets more and more lawless) that you think seriously about using a password system (we happen to like LastPass) to keep track of your passwords, allowing you to generate random passwords for sites, but to still keep track of them.  Last of all, we'd like to recommend that you think about implementing dual authorization on your important logins.  We are using Authy on some of our administration software to require that we not only have a password, but a random one-time key to log in to our servers.