Drupal 7.20 Released to Address DOS Vulnerability

Non-security fixes or new features are not included in the release

By on February 21st, 2013 09:23 GMT

Drupal 7.20 has been released to fix a critical remotely-exploitable denial-of-service (DOS) vulnerability.

According to the developers, the latest update doesn’t include any new features or non-security-related fixes, but all users of Drupal 7.x are advised to install the latest version to prevent potential cybercriminal operations.

“Drupal core's Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting a large number of new derivatives which can fill up the server disk space, and which can cause a very high CPU load,” the vulnerability advisory released by Drupal reads.

It notes, “Either of these effects may lead to the site becoming unavailable or unresponsive.”

A CVE identifier has been requested for the flaw and it will be added once it’s issued.

Drupal is available for download here

Comments