Drupal 7 Security Updates Released Ahead of End-of-Life Deadline

The Drupal Association has announced the release of critical security updates for Drupal 7 ahead of its end-of-life (EOL) on January 5, 2025. The update addresses an XSS vulnerability in the core Overlay module and a potential object injection flaw that could lead to remote code execution when combined with other vulnerabilities. Members of Tag1, including Ra Mänd and Fabian Franz, played a key role in issuing the security patches, which also included updates for several Drupal 7 contributed modules.

Following the EOL, the Drupal Security Team will cease updates for Drupal 7 core and contrib modules. To ensure continued support, the Drupal Association has authorized Tag1 as a Drupal 7 Extended Support (D7ES) partner. Tag1, with extensive experience managing post-EOL support for Drupal 6, will provide ongoing security updates and vulnerability monitoring for Drupal 7 sites. Organizations are encouraged to enroll in Tag1's D7ES program to maintain site security beyond January 2025.

Tag1's D7ES service offers continuity for Drupal 7 users, leveraging its position as a key contributor to the Drupal 7 codebase and its history of managing post-EOL support. By maintaining QA and testing systems for Drupal 7, Tag1 ensures compatibility and stability for ongoing updates. This service allows organizations to continue existing workflows and release procedures with minimal disruption. Read the official announcement for more details.