[Drupal] Drupal Highly Critical Vulnerability
Little, Jason P.
little.129 at osu.edu
Tue Mar 27 08:23:00 EDT 2018
All,
This Wednesday @2-4pm, Drupal will be releasing an update for a previously undisclosed highly critical vulnerability impacting Drupal 7 and 8.
Official PSA
https://www.drupal.org/psa-2018-001
This severity is used for remote execution<https://www.drupal.org/drupal-security-team/security-risk-levels-defined> bugs which can be used to compromise a site.
The last time there was a major vulnerability like this, exploit scanners were running at large scale within hours of the disclosure. The Drupal security team issued a follow-up PSA<https://www.drupal.org/forum/newsletters/security-public-service-announcements/2014-10-29/drupal-core-highly-critical> saying that anyone who did not patch within 7 hours should proceed with the assumption that their site had been compromised.
If you go home Wednesday night before patching Drupal, you could easily come in Thursday to a hacked site so…
Patch up!
Best,
Jason Little
University Marketing
PS. If, after Wednesday, you’re trying to determine if you are patched, you can usually look at the Drupal core CHANGELOG for your site to determine the exact version number.
D8: http://insights.osu.edu/core/CHANGELOG.txt
D7: https://odee.osu.edu/CHANGELOG.txt
The actual vulnerability, along with the updated version numbers for 7.x, 8.3.x, 8.4.x, and 8.5.x should all be announced here.
https://www.drupal.org/security
Some people might apply a code patch instead of upgrading the version in which case a site *could* be safe with an old changelog. However, this is generally rare.
Also note that it can take a couple of hours from the initial release to test and deploy these patches.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osu.edu/pipermail/drupal/attachments/20180327/bd3d19a3/attachment.html>
More information about the Drupal
mailing list