Drupal Install Script (in Virtualmin Pro) updated to address Drupal SA-CORE-2018-002

Howdy all,

If you have Drupal installations on your Virtualmin system, you’ll need to update them immediately, as there has been a very serious security issue discovered in all versions (6, 7, and 8).

If you installed via the Virtualmin Pro Install Script for Drupal, we’ve rolled an update for versions 7.58 and 8.5.1, but Install Scripts normally only update daily, so you’ll want to force an immediate update to get this new version. You can do that by browsing to System Settings->Script Installers->Installer Updates and then click Save (this won’t change your settings, but will cause any Install Scripts you have configured to update automatically to update now). Note that if you don’t have the Installer Updates feature enabled, you’ll need to enable it, at least for Drupal, for the new version to be downloaded when you click Save. (Though we recommend you keep this feature enabled.)

Once the new version has been downloaded, you can use the Upgrade Scripts tab to upgrade across all of your domains.

Because this is such a serious security vulnerability, and because it is so easily exploitable, you likely don’t have a lot of time to get the update done. I recommend you drop everything and get it done today, if you have any Drupal installations.

Feel free to ask questions here or in the issue tracker, if you run into any problems.

The Drupal security team announcement: https://www.drupal.org/sa-core-2018-002

The FAQ about the exploit from the Drupal team: https://groups.drupal.org/security/faq-2018-002

We, obviously, don’t have any insight into the issue beyond what is public (we’re not Drupal developers, except here on our own site), so any advanced technical questions about the Drupal side of things is best taken up with either the Drupal community or your Drupal developer. But, we can help with any problems you have getting Virtualmin to fetch the latest version of the installer and to trigger the update across all of your Drupal sites.

Cheers,

Joe