Drupal PSA-2016-001 (Coder, restws, and webform_multifile remote code vulns)

Submitted by ctadmin on Wed, 07/13/2016 - 09:55

CanTrust servers have been fully protected from the PSA-2016-001 security vulnerabilities.

The coder module in particular is found in many Drupal distribution profiles, and is vulnerable even if not enabled.  To be safe, CanTrust staff have removed all instances of the coder module from server filesystems.   This change will not break your sites, as coder is a developer module.  It may cause problems with Git source control though, so you can contact us to have the files restored or for help with properly deploying a fix through source control.

We notified all affected customers within 20 minutes of the security announcement and had all servers secured by 16:45 UTC, within an hour of the vulnerabilities being disclosed.    Please contact us if you require assistance with source code deployment after-the-fact.

For more information, see the security advisories from Drupal:

https://www.drupal.org/psa-2016-001

https://www.drupal.org/node/2765575

https://www.drupal.org/node/2765567 (not used by any CanTrust customers)

https://www.drupal.org/node/2765573 (not used by any CanTrust customers)