drupal7 (7.24-1) unstable; urgency=high

  In order to avoid a remote code execution vulnerability (described in
  https://drupal.org/SA-CORE-2013-003), it is recommended to create a
  .htaccess file (or an equivalent configuration directive in case you are
  not using Apache to serve your Drupal sites) in each of your sites'
  "files" directories (both public and private, in case you have both
  configured).

  This file's contents should include the following declarations:

      # Turn off all options we don't need.
      Options None
      Options +FollowSymLinks
      
      # Set the catch-all handler to prevent scripts from being executed.
      SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
      <Files *>
        # Override the handler again if we're run later in the evaluation list.
        SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
      </Files>
      
      # If we know how to do it safely, disable the PHP engine entirely.
      <IfModule mod_php5.c>
        php_flag engine off
      </IfModule>
      
  You will find a copy of this file in
  /usr/share/doc/drupal7/files.htaccess, but, as it's not in a
  Debian-controlled directory (but on a local one), we cannot install it
  for you.

 -- Gunnar Wolf <gwolf@debian.org>  Wed, 20 Nov 2013 19:17:41 -0600
