Drupalgeddon; Are you ready?

Just arrived here? Read my followup first.

Original post

The Drupal security team announced multiple highly critical updates to Drupal contrib modules in PSA-2016-001. Expect attacks within less than one hour from the announcement; 18 hours from the time this article is published. This is probably going to be Drupalgeddon all over again.

My advice

If you are prepared, you will save yourself a lot of time. If you are late or too slow, you will probably find yourself with a lot more work, e.g. the rescue workflow for Drupalgeddon 1.

Today

Don't skimp on the first two. And do at least one of "3. Update a contrib module" or "4. Learn how to apply patches". Which one you choose depends on your skills and how out of date contrib modules are on your Drupal websites. Ideally, do both steps 3 & 4; You might find one of them is significantly challenging for you.

  1. Backup your Drupal 7 websites; Database, code & files directory
  2. Plan to be online at 1600 Wednesday 13 July 2016 UTC. In other timezones:
    America/Los_Angeles: 0900 Wednesday 13 Jul
    America/New_York: 1200 Wednesday 13 Jul
    Europe/London: 1700 Wednesday 13 Jul
    Europe/Paris: 1800 Wednesday 13 Jul
    Australia/Sydney: 0200 Thursday 14 Jul
    Pacific/Auckland: 0400 Thursday 14 Jul
  3. Update a contrib module on each of your Drupal 7 website(s) to make sure there will be no problems and you know how to do it. Do it manually by downloading the module from Drupal.org. The update server that Drush and Drupal use might be delayed, overloaded or under attack.
  4. Learn how to apply patches:
    1. Choose any popular module that your website uses, e.g. Views
    2. Navigate to the module's issue queue
    3. Filter for "Reviewed & tested by the community"
    4. Filter for the version of the module your website uses
    5. E.g. Views 7.3 RTBC issues
    6. Open any issue
    7. Download any .patch file
    8. Apply it using Drupal's documentation, which boils down to something like:
      1. cd sites/all/modules/views/
      2. patch -p1 < ~/Downloads/views-fix_hide_rewriting_if_empty-1428256-21.patch
      3. Test the patched module still works
  5. Restore your website from the backup into a new environment to make sure your backup is complete, you have sufficient access and you know how to do it. If you are on time and fast, this won't become necessary. But just in case...
  6. Subscribe to Drupal security email announcements: Log in on Drupal.org, go to your user profile page and subscribe to the security newsletter on the "Edit » My newsletters" tab.
  7. Consider taking servers that host highly sensitive data offline if your Drupal website can reach them. Drupal's maintenance mode may not be sufficient protection.
  8. If you can move to a Drupal-tailored web host easily, do so. They often offer additional protection while you work on applying updates. I usually recommend Pantheon.
  9. Take stock of any modifications (patches) to Drupal core and contrib modules. The Hacked! module automates most of this.
  10. Clean up and/or take stock of any unusual files in your website. A version control system like git makes this easy.
  11. Use the Security Review module to check if you have configured your Drupal website securely.
  12. Backup your website again if you made changes since the last backup.
  13. Subscribe to my blog;
    • I will post any important or relevant updates, more aggressively than what the Drupal Security Team is able to
    • Submit your email address in the right sidebar.
    • You can unsubscribe anytime (I won't be offended)

At T minus 1-hour

At 1500 Wednesday 13 July 2016 UTC, an hour before the scheduled time;

Do what you need to do to have the next few hours free from distractions; I.e. eat, use the bathroom, get comfortable.

At 1600 Wednesday 13 July 2016 UTC

  1. Look for contrib security advisories on Drupal.org.
  2. For each advisory that is published, check if your website(s) use the module. If yes, update it.
  3. Check you are recieving security advisory emails. Sometimes the highly critical updates require followup.

Drupal 6

The Drupal security team no longer supports Drupal 6. So we don't yet know if it is vulnerable or if there will be a patch. All of the above applies and you should do it, but if Drupal 6 is vulnerable patches or updates will probably be provided by the Drupal 6 long term support (LTS) programme.

Worst case, be prepared to roll-back to your backup from before the announcement.

Consider also;

  1. Accellerating your plans to upgrade to Drupal 7 or 8
  2. Taking your server or website offline
  3. Archiving it as a static HTML website (no PHP)
  4. Maintenance mode or locked-down permissions to be read-only is better than nothing, but may not offer any protection

Will I be affected?

The Drupal security team have added that the affected contrib modules are used on between 1,000 and 10,000 sites. That limits the affected modules to those ranked 522 to 2180; Just 1680 of the most popular 2000 Drupal contrib modules. Some Drupal websites, especially simple ones, will be lucky in that they won't be using an affected contrib module. But don't count on luck.

Comments

Drupal 6 long term support

Your section about Drupal 6 is a bit incomplete. Support for it is available at https://www.drupal.org/project/d6lts

I hope you'll add that.

BTW, for point number 3 in the Drupal 6 section a good guide is https://www.drupal.org/node/27882

Thanks! Updated

Thanks Greg; Updated

A disgrace

Another black mark on Drupal's reputation. Wasn't WordPress supposed to be the insecure one? At least that's the story we were fed by the powers that be. Changes are needed at the top.

Thanks for the

Thanks for the information!

Backups are ready and @ 16 UTC I will be standby at my office...
It sounds like a war is coming... :-)

Use a known deployment workflow

"Do it manually by downloading the module from Drupal.org. The update server that Drush and Drupal use might be delayed, overloaded or under attack."

Drush and Drupal download the same files from the same URLs as the release pages on Drupal.org. We have a solid CDN distributing the load, https://www.drupal.org/drupalorg/blog/drupal.org-migrates-content-and-fi.... Over the past few years we've eliminated time for syncing and cache clearing in the update status and package downloading systems.

If your site has a good, quick deployment workflow you are comfortable with, stick to it. Don't risk using an unfamiliar workflow if it isn't necessary.

Thanks Neil! I should have

Thanks Neil! I should have clarified that you probably won't need to install manually when the new releases are available, but to be prepared to do so.

Hi - apologies for the dumb

Hi - apologies for the dumb question but what happens to Distributions that contain affected modules? Are they going to release a new version that needs to be updated manually as if it were a core update?

That is the process. However

That is the process. However distribution maintainers might take a while. I suggest you update vulnerable modules independently.

Not so highly critical?

I published my followup now that the security advisories have been published; Not so highly critical?