WordPress and Drupal work together to release joint security updates: WordPress 3.9.2, Drupal 7.31 and 6.33

In a humbling instance of community-driven purpose, the WordPress.org and Drupal Core Security Teams, respectively, have released joint updates to their platforms that address a security vulnerability that could be exploited in either CMS. Users of either platform are encouraged to update to the most secure version of WordPress / Drupal immediately.
As reported by Mashable, “The vulnerability uses a well-known XML Quadratic Blowup Attack — and when executed, it can take down an entire website or server almost instantly.”
This is the first time that these two project have worked together to release “coordinated joint security releases,” WordPress Security Team member Andrew Nacin said.
The XML vulnerability was first reported by Nir Goldshlager, a security researcher for Salesforce.com. This isn’t necessarily out of the ordinary. Goldshlager is a member of Salesforce’s product security team — researching security issues is what he specializes in. However, what is out of the ordinary, and what Goldshlager and Salesforce’s security team should be commended for, is the concerted level of cooperation and careful disclosure by all parties involved throughout the entire issue.
Goldshlager’s first step was to contact WordPress and Drupal to notify them of the security vulnerability his team had uncovered. The WordPress and Drupal core security teams then worked in tandem to create updates for their platforms to fix the issue.
Christina Warren, the writer for Mashable who first reported the issue, also worked closely with Goldshlager in preparing her story. And, exercising an increasingly rare degree of thoughtful community journalism, Warren held onto the story until WordPress and Drupal had security fixes in place.
All of this teamwork resulted in an article about the “major security vulnerability” being posted after WordPress and Drupal had released updates to address the issue.
Responsible disclosure was the best way to get the issue out in the open, and also fixed,” Warren and Goldshlager wrote. “Notably, the WordPress and Drupal teams worked together on this solution and timed their security releases to coincide with one another. Because the vulnerability targets WordPress’s XML-RPC library file — a file that Drupal uses a derivative of — it made sense for the teams to work together on a patch and release.”
The WordPress Security Update is version 3.9.2, the release announcement is posted here, and the full release notes can be found here. If you like to dive deeper into these types of security updates, the WordPress Core Changelog can be viewed here. The Drupal announcement is posted here, and the updated secure versions are 7.31 and 6.33.
Again, we recommend that users of either platform update their sites as soon as possible to mitigate potential attacks that target this security vulnerability.
In addition to the main security issue at hand, the WordPress 3.9.2 update contains the following changes:
  • Fixes a possible but unlikely code execution when processing widgets.
  • Prevents information disclosure via XML entity attacks.
  • Adds protections against brute attacks against CSRF tokens.
  • And additional security hardening.
Once more, we’d like to make a special tip-of-the-hat to everyone involved in the way this security vulnerability was handled — and resolved. This is the way a major security vulnerability should be covered: with careful consideration to the users, and a healthy dose of teamwork between the security teams involved.
As always, if you have any questions about setting up your own site’s updates (be it in WordPress or Drupal), don’t hesitate to call a member of our support team. And if you’d prefer to let us completely handle your site upgrade, we’ll be happy to help.
Works Cited / For Further Reading:
Major security vulnerability in WordPress, Drupal could take down websites. (Mashable)
WordPress and Drupal Teams collaborate for simultaneous security releases. (Post Status)
WordPress 3.9.2 security release announcement. (WordPress.org)
WordPress version 3.9.2 release notes. (WordPress.org Codex)
WordPress Core Changelog branches / 3.9.2. (WordPress.org Core)
Drupal Core security release announcement. (Drupal.org)
Drupal version 7.31 release notes. (Drupal.org)
Drupal version 6.33 release notes. (Drupal.org)