How far is BackdropCMS affected by the recent Drupal Security advisories?

[simonsan]

Talking about: https://www.drupal.org/security e.g.

Show advisories for only Drupal Core, only contributed projects, or only PSAs
Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001
Date: 
2024-January-17
Security risk: 
Moderately critical 11∕25 AC:None/A:None/CI:None/II:None/E:Theoretical/TD:Default

The Comment module allows users to reply to comments. In certain cases, an attacker could make comment reply requests that would trigger a denial of service (DOS).

How can I, as a possible future user, know how far BackdropCMS is affected by Drupal security issues? What is the best way to look them up? I didn't find any links in the issue tracker to research the above security issues within Backdrop core or other parts of the codebase.

[stpaultim]

@simonsan Thanks for asking this question. Here is a link to some general information about the Backdrop CMS security team and procedures.

• https://backdropcms.org/leadership/security-team
• https://backdropcms.org/security

Simply put, Backdrop CMS has representation on the Drupal Security team and get's alerts for Drupal 7 issues that are likely to effect Backdrop CMS. We generally try to release security updates at the same time as Drupal 7. To my knowledge, we're still sorting out how this will all work after support for Drupal 7 has reached end of life. However, we are in active discussions with the Drupal Security team to try and find the best possible solution that protects Backdrop users without putting any additional burden on the Drupal security team.

The Backdrop CMS code base is very close that of Drupal 7. Many Drupal 7 security isssues also effect Backdrop CMS, but very few Drupal 8/9/10 security issues are relevent to Backdrop CMS. The issue you mentioned would not effect Backdrop CMS as it did not effect Drupal 7.

Here is a link to a list of Backdrop CMS Security Advisories. https://backdropcms.org/security/advisories