Tips for Applying Today's Drupal Core Security Update (SA-CORE-2014-005)

Today a highly critical security update (SA-CORE-2014-005) was released for Drupal 7. Any Drupal site running Drupal 7.31 or lower needs to update to 7.32 or apply the patch immediately. Here are some tips to get your Drupal 7 site updated today!

Option 1: Hotfix

This is the "OMG I don't have time to update Drupal core right now" option. You'll still need to do the actual upgrade later though! This is just a temporary fix. It protects you from the security hole, but you'll still need to update Drupal core for a long-term fix.

There is just one file updated in this security update and so patching is pretty straightforward. This is a good option especially if you're just trying to quickly update a bunch of personal sites that you maintain and don't have time to do a full upgrade to 7.32. (Thanks to fellow Lullabot Matt Robison for this tip.)

  1. Make sure you're in your drupal root directory.
  2. Run this command: 
    curl https://www.drupal.org/files/issues/SA-CORE-2014-005-D7.patch | patch -p1
  3. Make yourself a reminder on your calendar to do the real update!

Option 2: Use drush to update Drupal core

This is a good option for non-production sites, like on your local or development servers. You can then push the update up to your production site using git or other usual means. 

  1. Navigate to your drupal root in Terminal (or other command line interface) (or use a drush alias, if you have one).
  2. Run the command drush up drupal
  3. Done!

Option 3: Upgrade Drupal Core Manually

This is a bit more time consuming but is ultimately the safest way to go. However, if it's so time consuming that you're putting it off, see option 1 and apply the patch! 

For this, I'm just going to point you to two resources:

  1. Update Drupal Core (documentation handbook page on drupal.org)
  2. For our members, a Drupalize.Me video on Updating Drupal Core

Whatever you choose, update today!

This is a super-important security update. There should be an option for everyone here, whether or not you "have the time." Update your Drupal 7 sites today!

By the way, the Drupalize.Me site was updated first thing today! Your data and trust is so important to us. Thank you for being a member.

Related Topics: 

Comments

If you are already on 7.31 and upgrading to 7.32 then there is little difference between apply the hotfix and core release. You miss out on the test and in reports you will still show 7.31, so 'catching' up when 7.33 comes out is not really an issue. Obviously if you are on an older version different kettle of fish!!

For platforms built with Drush make-file using installation profiles this kind of approach would be helpful - and at least for Drupal Commerce it works. Test first

<code>
; Commerce Kickstart profile including Drupal core
projects[commerce_kickstart][type] = core
projects[commerce_kickstart][download][type] = get
projects[commerce_kickstart][download][url] = http://ftp.drupal.org/files/projects/commerce_kickstart-7.x-2.18-core.ta...
; Drupal core 7.32 -update patch:
projects[commerce_kickstart][patch] = https://www.drupal.org/files/issues/SA-CORE-2014-005-D7.patch
</code>

The CURL tip was awesome! I updated 30 sites in under 15 minutes.

So what does curl do? I'm on Windows and don't have that option

Scratch that question

Scratch that question; my *nix is coming back to me.
I expect that curl gets the info at the URL which is then piped to the patch command.

Thanks!

Is it possible for Webmaster(Administrator) of the drupal's website to delete the notification alert which keep warning at the top of account?

I am running a site www.nagaspiderweb.net and confused regarding this new updates.

That notification is there for a reason and should not be ignored. Drupal core needs to be updated in order to remove the security hole.

Can I apply this particular patch manually to all my older version like 7.12......7.20......? Or is there a minimum version of core only that this patch can be applied.

The patch should apply cleanly to any of those versions. However, don't forget that the best long-term course of action is to upgrade to 7.32.

I tried applying the Hotfix, and now I get a WSOD. The Apache error is as follows:
PHP Fatal error: require_once(): Failed opening required '[Drupal root]/includes/database/database.inc'
I verified that the file permissions are the same as before applying the Hotfix.

Are you using git? Then checkout the modified database.inc and try manually patching the file. The other thing to check besides the permissions is the ownership of the file to make sure your webserver user can read it. Of course the best fix is to upgrade to 7.32, which might be just as much work as troubleshooting the error here.

I get following error when using first option.I am trying to do this update from 7.21 to 7.32 and running this on terminal via ssh.

curl https://www.drupal.org/files/issues/SA-CORE-2014-005-D7.patch | patch -p1
-bash: patch: command not found

What is the issue.

I did not have patch installed:

did it by yum install patch than ran this command.It worked.

Thanks!!!

Glad you got it figured out! :)

Hi,

Very helpful article!

Question - does the hotfix work for 6.xx versions? Specifically, 6.14. I know we're way out of date, but I just took over this function.

This patch is specifically for Drupal 7.x (not 6). See the advisory for more info: https://www.drupal.org/SA-CORE-2014-005

Add new comment