undefined | Better HN

0 pointspearjuice11y ago0 comments

That's impressive given the exploit is a day old.

0 comments

antsar11y ago

FTFA:

> Disclosure Timeline:

> 16. Sep. 2014 - Notified the Drupal devs via security contact form

> 15. Okt. 2014 - Relase of Bugfix by Drupal core Developers

pearjuiceOP11y ago

Ah, must have overlooked the months. Makes me wonder why they left this in the wild for a month and now suddenly put thousands of installations at risk.

TacticalMalice11y ago

> now suddenly put thousands of installations at risk

There's a solution that goes with the advisory. You cannot provide a patch without putting sites at risk.

Furthermore, the vulnerability was present since the Drupal 7.0 release, several years ago. There were no exploits seen in the wild. What are a few weeks then?

The team decided that speed to patch sites asap _after_ release of the information was critical. This is the reason why it was released after a pre-announcement and after a conference tying up most stakeholders.

TacticalMalice11y ago

Drupal.org was a qa testcase for the patch.

j / k navigate · click thread line to collapse

0 comments

antsar11y ago

FTFA:

> Disclosure Timeline:

> 16. Sep. 2014 - Notified the Drupal devs via security contact form

> 15. Okt. 2014 - Relase of Bugfix by Drupal core Developers

pearjuiceOP11y ago

Ah, must have overlooked the months. Makes me wonder why they left this in the wild for a month and now suddenly put thousands of installations at risk.

TacticalMalice11y ago

> now suddenly put thousands of installations at risk

There's a solution that goes with the advisory. You cannot provide a patch without putting sites at risk.

Furthermore, the vulnerability was present since the Drupal 7.0 release, several years ago. There were no exploits seen in the wild. What are a few weeks then?

TacticalMalice11y ago

Drupal.org was a qa testcase for the patch.

j / k navigate · click thread line to collapse