Critical Security Update

Last week on 21 March Drupal.org posted advance notification of a highly critical security update, urging everyone to make time for applying the update as soon as possible when it came out a week later. This gave us time to plan our response and re-organise some work schedules so that on the evening  of Wednesday 28 March starting from about 8:25pm when the details of the patch came out, we took all sites managed by us offline.

For the technically minded, we actually set iptables to not accept any connections on ports 80 and 443 except from within our network and had scripted this using Ansible so the effect was almost immediate across all our servers. That basically means that all our servers were additionally firewalled from this time. This turned out to be a good response since the vulnerability meant that even sites in maintenance mode would have been affected.

Then a team of 4 of our most senior technical folk worked till around midnight to update the sites and bring the servers back online once they'd done basic checks. We coordinated everything through our chat channel and a Google sheet so we could monitor progress. Huge thanks go to Zoltan, Dave, Gareth and Nathan for that great effort in keeping all our clients safe.

If you have any queries about this update and how it might have affected your site, please get in touch through your normal contact.