Information Security Announcements

We have completed a security review of the Submenu Tree module (http://drupal.org/project/submenutree) version 6.x-1.6 and found no issues.  This module has been added to our approved modules list at http://www.sas.upenn.edu/computing/drupal-approved-modules.

In response to Drupal Security's security announcement SA-2011-035 (http://drupal.org/node/1252328) we have reviewed, approved, and upgraded our version of the Forward module (http://drupal.org/project/forward) to the latest version (6.x-1.20).

"The XML sitemap module creates a sitemap that conforms to the sitemaps.org specification. This helps search engines to more intelligently crawl a website and keep their results up to date. The sitemap created by the module can be automatically submitted to Ask, Google, Bing (formerly Windows Live Search), and Yahoo! search engines. The module also comes with several submodules that can add sitemap links for content, menu items, taxonomy terms, and user profiles." (http://drupal.org/project/xmlsitemap). The XMLSiteMap module version 6.x-1.2 has been approved and added to the list of approved modules accordingly (http://www.sas.upenn.edu/computing/drupal-approved-modules).

"The Node Reference URL Widget module adds a new widget to the Node Reference field type. It auto-populates a node reference field with a value from the URL, and does not allow this value to be changed once set. It can automatically provide a link on the referencing node types, that will contain the proper URL to prepopulate the field." (http://drupal.org/project/nodereference_url). We have reviewed the 6.x-1.11 version of the Nodereference URL module and approved it for use.

The Views Slideshow Dynamic Display Block (http://drupal.org/project/views_slideshow_ddblock) module "enables you to present content in a
dynamic way. For creating slideshow effects it uses the jQuery Cycle plug-in." We have reviewed the latest (2.x) branch of the module and approved it for use. The updated version of the module (6.x-2.0) has been installed on our environment and updates the previously installed 6.x-1.1 version of the module.

The latest version of the Embedded Media Field module (http://drupal.org/project/emfield) version 6.x-1.26 has been approved and installed on production servers.  This update should be seamless for all sites currently using the previously approved version of the module. 

On Tuesday, June 14th, Adobe issued updates to Adobe Flash Player to fix multiple security vulnerabilities. These updated versions are strongly recommended for all previous versions of Adobe Flash Player on both Windows and Mac OS.

The issues fixed by this update are now being exploited in the wild on a large scale. ISC strongly suggests that all users of Adobe Flash Player update to version 10.3.181.26 as soon as possible.

References

Adobe's security bulletin on these vulnerabilities is located here:

http://www.adobe.com/support/security/bulletins/apsb11-18.html

The direct download link for Adobe Flash Player 10.3.181.26 is located here:

http://get.adobe.com/flashplayer/otherversions/

The Supported Products and Supported Products for Providers pages for Adobe Flash Player have related information at:

http://www.upenn.edu/computing/product/specs/flashplayer.html

http://www.upenn.edu/computing/provider/product/specs/flashplayerprovide...

The Drupal Administration Menu module (http://drupal.org/project/admin_menu) version 6.x-1.8 has been reviewed and approved and is ready for use in production environments.  This update includes a number of silent security fixes for which Drupal security announcements were not released (mainly to protect against CSRF/XSRF (cross site request forgery) attacks), as well as a few bug fixes.

The Menu Attributes module (http://drupal.org/project/menu_attributes) version 6.x-1.4 has been approved and is now available for use on Drupal sites.  The list of Drupal approved modules (http://www.sas.upenn.edu/computing/drupal-approved-modules) has been updated accordingly.  Menu Attributes "allows you to specify some additional attributes for menu items such as id, name, class, style, and rel."

The jQuery Update module (http://drupal.org/project/jquery_update) version 6.x-1.1 has been approved and is now available for use on Drupal sites.  The list of Drupal approved modules (http://www.sas.upenn.edu/computing/drupal-approved-modules) has been updated accordingly.  JQuery Update "upgrades the version of jQuery in Drupal core to a newer version of jQuery."  On Drupal 6 this will currently enable jQuery 1.3.2.  JQuery Update is a helper module that mainly enables jQuery functionality in support of other modules.