Added CVE-2014-3704 - a highly critical SQL injection vulnerability. See Drupal advisory "SA-CORE-2014-005 - Drupal core - SQL injection" for full details: https://www.drupal.org/SA-CORE-2014-005
This can be fixed with just one file change to /includes/database/database.inc, but I do think we should consider updating to 7.32 as a fix, as this would wrap up six vulnerabilities. I also agree with the previous commenter that a CMS or framework is something which should be kept up to date to avoid security issues - it's no good keeping web browsers up to date if the web servers they fetch content from are growing ever more insecure. If that can't be done, then the package should be dropped from the repositories. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1262813 Title: multiple security issues in drupal7 package To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/drupal7/+bug/1262813/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs