14 DAY TRIAL // Last week, a security resercher from IOActive published a series of security vulnerabilities affecting Drupal's update mechanism. Two days later, the Drupal team announced it started work to finally fix the issues, having previously been made aware of some problems as early as 2012.
According to members of the Drupal Security Team, the CMS' maintainers were well aware of the issues, as IOActive's Fernando Arnaboldi debriefed the security staff before going public with his findings.
Seeing no immediate danger, the Drupal team allowed Mr. Arnaboldi to publish his post and started working on some of the reported issues.
Here are the Drupal team's plans for fixing the three bugs reported by Mr. Arnaboldi:
Issue #1 - Drupal shows incorrect "Up to date" message when update process fails
Drupal says that the impact of this problem is limited only to the CMS' backend page and that developers can find about new Drupal releases via a plethora of other channels like RSS, Twitter, the Drupal homepage, email newsletters, etc.
Nevertheless, the team started working on a patch.
Issue #2 - CSRF bug on the "Check Manually" update button
While using this functionality to launch DDoS attacks on Drupal.org is only a theoretical possibility, the Drupal team acknowledged that this bug might be used to control the time when a Drupal site checks for updates. This can be a useful feature if the attacker is sniffing local traffic and wants to coordinate and synchronize other more complex attacks.
A bug fix has also been started on this issue as well, and will be provided in a future CMS version.
Issue #3 - Drupal sites can be compromised because core and module updates are sent via unencrypted channels and their source is not verified
For this problem, the team started a series of separate topics on its bug reporting portal. They are working on adding SSL support for the update process via the core update status function inside the CMS, but also to Drupal updates delivered via its version control system.
Additionally, SSL support has been already applied to download links served via project pages, and for downloads served via Drush, a command-line utility for managing Drupal sites.
As for verifying the package's authenticity, Drupal says that file checksums were and are still available. What led everyone to believe they were removed was the confusion created after the Drupal team changed their location on the Drupal.org website. Currently, file checksums can be viewed for each package by clicking on "View all releases" link from each project's page (all Drupal releases and their checksums are here).
Until all fixes are ready and deployed via a Drupal core update, the developers recommend using Drush 7 or higher to apply updates or manually downloading project files from the Drupal website.