Regarding Drupal.org Remote code execution PSA-2016-001
Update 2016-07-13:18:30 US-East
For customers with Remote Administration - If you are currently an Acquia Cloud Remote Administration customer, you should now have an updated branch available on your Remote Administration environment. We strongly recommend pushing this branch to your production environment immediately. This new branch will update all modules associated with the vulnerability discovered on 13 July 2016.
Customers without Remote Administration - If you do not have Acquia Cloud Remote Administration, check immediately if your site is utilizing any of the vulnerable modules. If so, whether it is enabled or not, we highly recommend updating those modules as soon as possible to ensure you are not at risk to these recently discovered vulnerabilities.
Original security notice
On Wednesday, 13 July 2016, the Drupal.org security team announced security updates for three modules with remote code execution vulnerabilities.
The affected modules are:
For Sites Receiving Remote Administration (Acquia RA) Updates
Customers with Remote Administration (RA) services will receive an updated branch in their RA environment for deployment. Within 24 hours, most customers will have an updated branch; in 48 hours, all customers will be updated except those who experience errors. Acquia will work with customers to resolve implementation errors and apply the updates successfully.
Customers are encouraged to update their own modules if they wish to reduce the window of vulnerability.
For Sites without Remote Administration (Acquia RA) Updates
Check to see if you have any of the impacted modules installed on your site. If so, we highly recommend that you update your site immediately to remediate against this vulnerability. Note that sites are vulnerable if these modules are installed even if they are not enabled. Note that sites are vulnerable if CODER is installed even if it is not enabled.