tags:

views:

34

answers:

3
+1  Q: 

Drupal: last core version update. Risky, if I don't update it ?

hi,

I did several websites with Drupal, and now the core is updated and I cannot come back to my customers to update previous installation. I was wondering how risky is to not update drupal core to the last version and how web developers should deal with websites management.

ps. My customers do not have any computer skills.

thanks

+2  A: 

Here are release notes. Answer on your question lies inside.

Yossarian  2010-03-08 18:54:41
+3  A: 

The openness of open source means that it is easy to know what an upgrade has fixed. It also means that a hacker could just look at the release notes and do a diff between the previous and current version to spot the vulnerabilities in the previous version.

If you have a good relationship with your clients I would explain the need for an upgrade and see if they want to pay you for it, as their sites are vulnerable to anyone determined enough to look at the release notes and do a little digging.

Jergason  2010-03-08 18:59:18
can a hacker easily find out the installed drupal version ?
Patrick  2010-03-09 12:44:11
I don't think they can tell from reading the HTML. If I were a sneaky hacker-man, I would just assume that for a few days-weeks after a new core release, most sites would not be updated yet. Also, any vulnerabilities found and fixed by a new release will probably still exist in an older release. For example, if there is an XSS vulnerability fixed by 6.10, then it probably exists in all 6.x versions before 6.10 as well.
Jergason  2010-03-09 22:59:38
@Patrick, relatively. Most people don't delete out the text files in the root. CHANGELOG.txt has all the info anyone needs.
unn  2010-03-10 01:15:33
isn't CHANGELOG.txt private ? I mean, how can they access to it ? Just for curiosity.
Patrick  2010-03-10 07:35:08
CHANGELOG.txt is hidden by Drupal's .htaccess file, and should be protected by permissions on your server as well.If they can access your CHANGELOG.txt file then you have bigger problems then someone knowing what version of Drupal you are running.
Jergason  2010-03-10 19:45:41
A: 

Updating the core is very Important, it solves some security risks and brings new features.

streetparade  2010-03-08 19:00:08

related questions

Batch node operations in Drupal 5
How do you make php's json_decode compatible with firefox's javascript?
Drupal CSS URL Problem
Is it possible to deploy an already built Drupal site?
php Access violation
Creating an online catalogue using Drupal, what are the best modules/techniques?
How do I upgrade from Drupal 5 to 6?
How does AOP work in Drupal?
Any quirks I should be aware of in Drupal's XML-RPC and BlogAPI implementations?
What is the simplest way to handle images in Drupal?
How can I change some of Drupal's default menu strings without hacking the core files or using the String Override plugin?
Why is my Drupal site logging out users when a Javascript function is called?
How do I add a "last" class on the last <li> within a Views-generated list?
How do I determine if I should install Drupal 5.x or 6.x?
Missing label on Drupal 5 CCK single on/off checkbox
learning drupal fast track: how to create a stackoverflow clone?
How do you remove the default title and body fields in a CCK generated Drupal content-type?
How do I create a node from a cron job in drupal?
How to quickly theme a view?
Where is the best place to get Drupal & Sugar CRM developers?
How to get rid of Javascript Runtime Errors when running PDT + XDebug in Eclipse?
What makes Drupal better/different from Joomla
Include CSS or Javascript file for specific node in Drupal 6
What version of TinyMCE will work in Drupal 5 with google chrome?
How can I change the way my Drupal theme displays the front page