Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.
www.debian.org/security/2016/dsa-3498
www.openwall.com/lists/oss-security/2016/02/24/19
www.openwall.com/lists/oss-security/2016/03/15/10
github.com/drupal/core
github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2016-3171.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2016-3171.yaml
nvd.nist.gov/vuln/detail/CVE-2016-3171
www.drupal.org/SA-CORE-2016-001