[Drupal] Critical Drupal Security Update

Little, Jason P. little.129 at osu.edu
Mon Apr 23 13:35:13 EDT 2018 

This Wednesday, a critical Drupal security update will be released for 7 and 8, probably with releases for D6 and backdrop to follow.

This is a follow up to the highly critical remote execution vulnerability from March.
https://www.drupal.org/psa-2018-003

As an aside, it’s really important to apply these patches. Sites that didn’t patch in March should probably be considered hacked now.
https://arstechnica.com/information-technology/2018/04/drupalgeddon2-touches-off-arms-race-to-mass-exploit-powerful-web-servers/

If you are having trouble patching, know that there was a fairly lively discussion in the OSU #drupal slack channel as the patches were being released. We were all comparing notes on when the tarballs hit, when composer packages were ready, when pantheon drops had been built, etc.
https://osu.slack.com/messages/C02R92GSK/

Best,
Jason Little
University Marketing


Critical

Remotely exploitable Denial of Service (DOS) vulnerabilities that can compromise the system but do require user interaction. Vulnerabilities that may allow anonymous users (i.e. users not registered at the site) to log in as a site user or take administrative actions. Interaction (such as an administrator viewing a particular page) may be required for this exploit to be successful, or in cases where interaction is not required (such as CSRF) the exploit causes only minor damage.
Previous examples include: OpenID impersonation, SQL injection



Drupal 7 and 8 core critical release on April 25th, 2018 PSA-2018-003
View online: https://www.drupal.org/psa-2018-003

There will be a security release of * Drupal 7.x, 8.4.x, and 8.5.x on April
25th, 2018 between 16:00 - 18:00 UTC*. This PSA is to notify that the Drupal
core release is outside of the regular schedule [1] of security releases. For
all security updates, the Drupal Security Team urges you to reserve time for
core updates at that time because there is some risk that exploits might be
developed within hours or days. Security release announcements will appear on
the Drupal.org security advisory page.

This security release is a follow-up to the one released as SA-CORE-2018-002
[2] on March 28.

   * Sites on 7.x or 8.5.x can immediately update when the advisory is
released
     using the normal procedure.
   * Sites on 8.4.x should immediately update to the 8.4.8 release that will
be
     provided in the advisory, and then plan to update to 8.5.3 or the latest
     security release as soon as possible (since 8.4.x no longer receives
     official security coverage).

The security advisory will list the appropriate version numbers for each
branch. Your site's update report page will recommend the 8.5.x release even
if you are on 8.4.x or an older release, but temporarily updating to the
provided backport for your site's current version will ensure you can update
quickly without the possible side effects of a minor version update.

Patches for Drupal 7.x, 8.4.x, 8.5.x and 8.6.x will be provided in addition
to the releases mentioned above. (If your site is on a Drupal 8 release older
than 8.4.x, it no longer receives security coverage and will not receive a
security update. The provided patches may work for your site, but upgrading
is strongly recommended as older Drupal versions contain other disclosed
security vulnerabilities.)

This release will not require a database update.

The CVE for this issue is CVE-2018-7602. The Drupal-specific identifier for
the issue will be SA-CORE-2018-004.

The Security Team or any other party is not able to release any more
information about this vulnerability until the announcement is made. The
announcement will be made public at https://www.drupal.org/security, over
Twitter, and in email for those who have subscribed to our email list. To
subscribe to the email list: login on Drupal.org, go to your user profile
page, and subscribe to the security newsletter on the Edit » My newsletters
tab.

Journalists interested in covering the story are encouraged to email
security-press at drupal.org<mailto:security-press at drupal.org> to be sure they will get a copy of the
journalist-focused release. The Security Team will release a
journalist-focused summary email at the same time as the new code release and
advisory.
If you find a security issue, please report it at
https://www.drupal.org/security-team/report-issue.


[1] https://www.drupal.org/node/1173280
[2] https://www.drupal.org/sa-core-2018-002

_______________________________________________
Security-news mailing list
Security-news at drupal.org<mailto:Security-news at drupal.org>
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osu.edu/pipermail/drupal/attachments/20180423/fe6a77aa/attachment-0001.html>

More information about the Drupal mailing list