Every now and then an important Drupal core security update is released, and on the 17th June one came along that affects both Drupal 6 and Drupal 7. The update relates to a few Drupal components:
- The OpenID module that ships with Drupal core and allows users to log into Drupal websites using accounts on 3rd party websites is updated to prevent malicious users being able to log in as other users on the site, including administrators, and hijack their accounts under certain conditions.
- The Field UI module in Drupal 7 is patched to prevent malicious users being able to redirect website visitors to 3rd party websites under certain conditions. This vulnerability is mitigated by the fact that only sites with the Field UI module enabled are affected.
More information about these updates can be found in the security advisory in the release notes for Drupal 7.38 and Drupal 6.36, SA-CORE-2015-002. If you are an O'Brien Media customer you can find out more about security updates for your website in our support pages.