= Protecting our members from Drupageddon =

On October 15, 2014 Drupal released a security patch that fixes a major vulnerability in Drupal.

All May First/People Link members who use our central/shared Drupal installation received an upgraded version of Drupal within 2 hours of the announcement and therefore should have been protected from any exploits.

However, members that manage their own Drupal 7 installations may still be at risk.

This page documents instructions for MF/PL support team members on how to check server for vulnerable sites.

= Find potentially vulnerable sites =

Ross has made a list of all potentially vulnerable sites on hay (in /root/drupal-7-insecure-databases.txt). They are listed by mosh. In addition, there is a script (that was used to generate this list) in /tmp/find-drupal-7-pre-3.2 on each MOSH. You can re-run this script as often as you need to.

This script finds databases that it thinks are Drupal 7 sites that are not running version 7.32. There are a lot of false positives (drupal databases that are no longer in use, etc).

If you are an MF/PL admin, please check for sites on your MOSHes.

= What to do =

When you find a site, become the user that owns the site, cd into the web directory, and then search for all settings.php file:

{{{
find . -name settings.php
}}}

Check each settings.php file that returns to ensure that the database named as compromised is not in use.

If it is in use, use drush to upgrade the core software:

{{{
drush up drupal
}}}