http://www.theregister.co.uk/2010/06/10/drupal_security_changes/ By Gavin Clarke The Register 10th June 2010 Webmasters running unfinished modules for Drupal do so at their own risk after the open-source CMS updated its guidelines on fixing security vulnerabilities. The project has updated the wording on its security site on how it handles security fixes to clarify it will only work on vulnerabilities in completed code of modules that comprise the CMS. The change clarifies that modules in release-candidate mode will not be supported. Drupal will work with maintainers of modules that are code complete, with maintainers now given a deadline to fix the problem. If the deadline's missed, the module and the project will be unpublished from Drupal.org. Vulnerabilities in unfinished code will simply be flagged in the module's issue queue. The clarifications are a response to the discovery of a potentially serious XSS hole in the Drupal Context module three weeks after White House developers proudly released their own plug-in based on the buggy module. [...] _________________________________________________________________ Attend Black Hat USA 2010, hosted at Caesars Palace in Las Vegas, Nevada July 24-29th, offering over 60 training sessions and 11 tracks of Briefings from security industry elite. To sign up visit http://www.blackhat.comReceived on Thu Jun 10 2010 - 22:03:31 PDT
This archive was generated by hypermail 2.2.0 : Thu Jun 10 2010 - 22:10:42 PDT