Drupal megaflaw raises questions over CMS bods' crisis mgmt The security world has been shocked to its foundations following ominous warnings that millions of Drupal websites that didn't apply a critical patch within hours of its release earlier this month should be regarded as hopelessly compromised. The maintainers of the Drupal content management system warned users that “automated …
I don't really understand why it took until the 29th to advise users that they should probably restore from backups. We have backups of course but each day that goes by makes restoring from a backup almost exponentially less feasable.
People who are active in the community and spend all day in #drupal on IRC might stay on top of the aftermath of something like this. But I don't think most users of Drupal employ full-time babysitters for their CMS. Many Drupal site administrators are probably not the most technical either, it's a point-n-click application, so why bother employing a sysadmin when we can pay for Jonny Wordpress to have a morning of Drupal training and a book to not read.
At best Jonny Wordpress might subscribe to the security announcement feeds or mailing lists. Perhaps even these... https://www.drupal.org/security/rss.xml and https://www.drupal.org/security/psa/rss.xml
In which case he would have no idea of the total sh*tstorm that's rained down in the intervening 2 weeks.
SQL injection is horrendous and especially bad news where so much of a site's structure and config is stored in the database. And even worse when the bug has been present for the 3+ years since the release of Drupal 7.
I've always thought Drupal was a total dog of a CMS. Unfortunately though it's the easiest dog there is for fudging custom applications without too much actual development experience required.
Typically I see 200+ DB queries to load a page, 4k+ in some cases with a totally cold cache. And people wonder why their Drupal sites have such poor performance! The best way to use Drupal is to not use Drupal at all, and I'm not just being an arse by saying that, i mean just use it as a glorified static HTML generator and cache the result in Varnish/nginx.
IMO if you need 300 modules and blobs of code to get a thing to do what you want, you should probably be doing it yourself anyway.
Lol, I suppose the old witty IRC reply to questions/requests for help does apply in this case... Not happy? Ask for a refund*
* I'm not slating open source in the slightest so pls don't downvote. Anyone who works with open source projects will have seen someone reply with that at some stage.
It didn't take that long. The announcement was made on October 15, 2014 at 3:54pm EST and released to the community immediately. If you waited more than 7 hours then you stood a chance that your site might have been compromised.
Original announcement: https://www.drupal.org/node/2357241
What to do: https://www.drupal.org/node/2365547
Project DrupalGeddon: https://www.drupal.org/project/drupalgeddon
Yes it did take that long.
The original security advisory was posted on the 15th Oct. The next followup announcement informing you that you need to patch within 7 hours or restore from backup, came on the 29th Oct... https://www.drupal.org/PSA-2014-003
Is it just me that finds it insane that it takes 2 weeks to provide that followup advice through the official channels?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
