As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules – but the Drupal 6 LTS vendors are and we’re one of them!
Today, there is a Moderately Critical security release for the jQuery UI module to fix a Cross Site Scripting (XSS) vulnerability.
Note: the ‘position’ and ‘dialog’ vulnerabilities (which affected Drupal 7 & 9), don’t affect the versions of jQuery UI supported by the D6 module, those being 1.6 and 1.7.
See the security advisory for Drupal 7 for more information.
If you have a Drupal 6 site using the jQuery UI module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. 🙂
Note: if you use the myDropWizard module (totally free!), you’ll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won’t necessarily have a release on Drupal.org).