Still on Drupal 7? Security support for Drupal 7 ended on 5 January 2025. Please visit our Drupal 7 End of Life resources page to review all of your options.On this page
- Sites running development snapshots
- Drupal.org JSON advisories feed
- Troubleshooting the advisory feed
- Verify that the feed is online
- Verify that OpenSSL is configured correctly
- Check your site's network connectivity
- Check for possible JSON feed format issues
- Check for issues in the Drupal.org issue queues
Responding to critical security update advisories
This documentation needs review. See "Help improve this page" in the sidebar.
As of Drupal 9.3.0, highly critical security advisories (similar to PSA-2019-02-19) will be displayed on Drupal administration pages.
When an advisory is released, site owners should review their sites to verify that the latest releases are installed and that the site is in a good state to quickly update once the fixes are provided to the community.
Most security advisories are not classified as highly critical, so they will not be displayed within Drupal. View the Security Advisories listing page to see all current security advisories and learn how to stay informed on advisories.
To learn about security advisories, read the Security advisory process and permissions policy.
Sites running development snapshots
Drupal cannot determine whether a necessary security fix has been installed if the site is using a development snapshot of a project (either of Drupal core or a contributed project). For this reason, sites running development versions may see advisories for security issues that will not affect their site. It is the site owner's responsibility to read these advisories to determine whether they should upgrade the relevant projects.
Drupal.org JSON advisories feed
Drupal relies on a JSON feed for security advisories. This feed is used by Drupal core and the Automatic Updates contributed module to display advisories. It is supported by the infrastructure of Drupal.org and funded by the activities of the Drupal Association. Its canonical URL is https://updates.drupal.org/psa.json.
The feed includes a list of currently-active PSAs with the following details:
title: The title of the security advisory.link: The URL to the full security advisory on Drupal.org.project: The short name of the project the security advisory is for.type: The type of the project the security advisory is for, such ascore,module,theme,distribution, etc.is_psa: A flag which indicates that the post is a public service announcement, and not another kind of security advisory.insecure: List of versions of the affected project that are currently considered insecure. For public service announcements which are tied to particular release, this does not indicate which versions will be marked as insecure. This list will be updated after the security release is published, to also include insecure versions.pubDate: The date the security advisory was published.
For example, if Drupal 7 and 8 release on May 8th, 2019 - PSA-2019-05-07 and Various 3rd Party Vulnerabilities - PSA-2019-09-04 were included in psa.json, the feed would include the following:
[
{
"title" : "Drupal 7 and 8 release on May 8th, 2019 - PSA-2019-05-07",
"insecure" : [
"4.7.0-beta3",
…
"8.7.0-rc1",
"8.7.0",
"8.7.4"
],
"link" : "https://www.drupal.org/psa-2019-05-07",
"pubDate" : "2019-09-20T22:09:16+00:00",
"project" : "drupal",
"type" : "core",
"is_psa" : "1"
},
{
"project" : "securitydrupalorg",
"pubDate" : "2019-09-12T21:35:55+00:00",
"is_psa" : "1",
"type" : "module",
"insecure" : [],
"title" : "Various 3rd Party Vulnerabilities - PSA-2019-09-04",
"link" : "https://www.drupal.org/psa-2019-09-04"
}
]Troubleshooting the advisory feed
If your Drupal site cannot fetch the advisories feed from Drupal.org, the status report will have a warning under Critical security announcements that starts with "Failed to fetch security advisory data".
Verify that the feed is online
To determine if the advisory feed from Drupal.org is currently online, visit the feed, https://updates.drupal.org/psa.json, directly in your browser. In most cases, if there are currently no highly critical security advisories, the feed will simply display "[]".
Verify that OpenSSL is configured correctly
If OpenSSL is not configured correctly, your site might not be able to retrieve the advisory feed. Consult the PHP OpenSSL requirements page for more information on correctly setting this up or enabling the HTTP fallback if OpenSSL is not available.
Check your site's network connectivity
If the feed is online and OpenSSL is configured correctly, but the feed fails, the server or hosting provider might be blocking outgoing network traffic (due to a firewall, for example). Use the command line (e.g. curl) to verify that requests to the feed URL made by the web server user are working correctly, or contact your hosting provider or system administrator.
Check for possible JSON feed format issues
There is a small chance that there could be a formatting problem in the feed itself. If this is the case, no error will appear in the site's status report. Instead, check the site error logs for "The security advisory JSON feed from Drupal.org could not be decoded.", which means that the entire feed could not be decoded, or "Invalid security advisory format:", which indicates that a particular advisory has invalid data. If you encounter these errors, you can search the Drupal.org customizations issue queue for an existing issue or create a new one.
Check for issues in the Drupal.org issue queues
If none of the above troubleshooting steps resolves your issue, you can search the Drupal.org issue queues or report a new issue.
Help improve this page
You can:
- Log in, click Edit, and edit this page
- Log in, click Discuss, update the Page status value, and suggest an improvement
- Log in and create a Documentation issue with your suggestion
