July 12th, 2016
- Advisory ID: DRUPAL-PSA-2016-001
- Project: Drupal contributed modules
- Version: 7.x
- Date: 2016-July-12
- Security risk: 22/25 ( Highly Critical) AC:None/A:None/CI:All/II:All/E:Theoretical/TD:All
- Vulnerability: Arbitrary PHP code execution
Update: Release Annoucements
The following modules have security releases that are now available, listed in order of severity. There are no more releases planned for today.
- RESTWS – Highly critical – Remote code execution – SA-CONTRIB-2016-040
- Coder – Highly Critical – Remote Code Execution – SA-CONTRIB-2016-039
- Webform Multiple File Upload – Critical – Remote Code Execution – SA-CONTRIB-2016-038
There will be multiple releases of Drupal contributed modules on Wednesday July 13th 2016 16:00 UTC that will fix highly critical remote code execution vulnerabilities (risk scores up to 22/25). These contributed modules are used on between 1,000 and 10,000 sites. The Drupal Security Team urges you to reserve time for module updates at that time because exploits are expected to be developed within hours/days. Release announcements will appear at the standard announcement locations.
Drupal core is not affected. Not all sites will be affected. You should review the published advisories on July 13th 2016 to see if any modules you use are affected.
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Edited to add: approximate usage of the modules, links to the final releases, that there are no more releases for today..