Are all Drupal 7.2x sites NON PCI compliant because of CVE-2011-2687, the node access bypass threat ?

We encourage users to post events happening in the community to the community events group on https://www.drupal.org.
andyg8's picture

Hi team,

Sorry if this is in the wrong place, but extensive Googling couldn't find an answer.

We've just had a PCI compliance scan done by Trustwave, which says we need to fix CVE-2011-2687,
node-access-bypass insecurity, which was fixed in Drupal 7.3. See: https://drupal.org/node/1204582.

But the last release of Drupal 7.3 was in 2011!

And Drupal.org home page says that 7.28 is the current release.

So does this mean every Drupal site in the world running the 7.2x branch
including 7.28 is not PCI compliant?

I can't believe this. Nevertheless I can't find any reference to the idea that this node access bypass insecurity is fixed in 7.28. I'm sure I must be missing something obvious, and apologies if I haven't looked in the right place to find an answer.

So, where is there documentation that this bug is fixed in later versions of 7.2? And if not, how can a Drupal 7.2x site become PCI compliant?

Thanks for your help.

Comments

Drupal release numbers are

pwolanin's picture

Drupal release numbers are monotonic.

So, 3,4,5,6,7,8,9,10,11, etc

In other words 7.28 includes everything from 7.3.

There is no branch except 7.x.

Are you running a Drupal version prior to 7.3? If so, that's foolishly out of date.

Great clarity, thanks!

andyg8's picture

Thanks for that clarity - I've only been using Drupal for a year (and love it) but haven't learnt all the details yet. I'm so used to modules and other programmes' major releases being 7.1n, 7.2n, 7.3n that it never occurred to me that 7.3 was actually an earlier version than 7.28. (We're running 7.26 at present)

Trustwave doesn't know this either; they consider 7.3 to be greater than 7.28 and hence throw a PCI compliance fail on detecting our 7.26 version.

We will do our best to educate them on this point. Hopefully that will help others who come across this issue.

Thanks again for your help.

Security

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds:

Hot content this week