The Drupal community releases security announcements for vulnerabilities in the Drupal core code and contributed modules; these are available via their website and through an announcement-only mailing list. The developers have decided to offer support for the current stable release branch and its predecessor, currently versions 5.x and 6.x. Users of older versions are strongly recommended to upgrade to a recent release in order to take advantage of new features, bug fixes and continued security support. However, as professional services firm hosting websites based on many versions of Drupal, the official end-of-life policy is not always enough for us. We cannot always upgrade our sites, in part because some involve significant modification of core Drupal modules which we would then have to port to new APIs, and our support agreements with our clients don't always cover this amount of work. Best practises for creating customized Drupal websites include never changing the core modules, but for various reasons we were not always able to do this, particularly when using older versions of Drupal, when it was a less mature platform with fewer features.
Since these old websites still need to be protected against known vulnerabilities, we backport the official security patches released by the Drupal team to cover the older versions we use. Now that Drupal 4.6 and 4.7 are no longer supported, we've decided to release our patches for this branch to the community. Please note that these are supplied on a best-effort basis, and that we cannot accept any liability should they fail to be effective. Also, note we will only be supplying patches for Drupal core, and contributed modules actually in use by us.
All that said, we hope these patches will be of use to you, and we welcome any feedback you might have.
Please note this list only includes security announcements for 4.6 during the period in which 5.x and 4.7 were the supported branches, plus security announcements for 4.7 during the period when 5.x and 6.x were the supported branches.
In addition, we have only supplied backported patches for vulnerabilities which we be believe affect sites we support. This means that vulnerabilities in many third-party modules are not included, as we either don't use them, or decided it would be simpler to discontinue using them rather than to patch them.
These patches are provided under the terms of the GPLv2, that is, under the same licence as Drupal itself.
Backported security advisories for Drupal 4.7
- SA-CORE-2009-007 (01 July 2009)
- SA-CORE-2009-006 (13 May 2009)
- SA-CORE-2009-005 (29 April 2009)
- SA-CORE-2009-004 (25 February 2009)
- SA-CORE-2009-001 (14 January 2009)
- SA-2008-073 (10 December 2008)
- SA-2008-067 (22 October 2008)
- SA-2008-060 (08 October 2008)
- SA-2008-047 (13 August 2008)
- SA-2008-044 (09 July 2008)