[kwlug-disc] Fwd: [Security-news] Drupal 7 and 8 core critical release on April 25th, 2018 PSA-2018-003

Mon Apr 23 15:29:38 EDT 2018

Another security release in two days between 12:00 and 14:00 (EDT).

If you have a Drupal site, be prepared to apply it as soon as it comes out.

---------- Forwarded message ----------
From:  <security-news at drupal.org>
Date: Mon, Apr 23, 2018 at 1:09 PM
Subject: [Security-news] Drupal 7 and 8 core critical release on April
25th, 2018 PSA-2018-003
To: security-news at drupal.org

View online: https://www.drupal.org/psa-2018-003

There will be a security release of * Drupal 7.x, 8.4.x, and 8.5.x on April
25th, 2018 between 16:00 - 18:00 UTC*. This PSA is to notify that the Drupal
core release is outside of the regular schedule [1] of security releases. For
all security updates, the Drupal Security Team urges you to reserve time for
core updates at that time because there is some risk that exploits might be
developed within hours or days. Security release announcements will appear on
the Drupal.org security advisory page.

This security release is a follow-up to the one released as SA-CORE-2018-002
[2] on March 28.

  * Sites on 7.x or 8.5.x can immediately update when the advisory isreleased
    using the normal procedure.
  * Sites on 8.4.x should immediately update to the 8.4.8 release that willbe
    provided in the advisory, and then plan to update to 8.5.3 or the latest
    security release as soon as possible (since 8.4.x no longer receives
    official security coverage).

The security advisory will list the appropriate version numbers for each
branch. Your site's update report page will recommend the 8.5.x release even
if you are on 8.4.x or an older release, but temporarily updating to the
provided backport for your site's current version will ensure you can update
quickly without the possible side effects of a minor version update.

Patches for Drupal 7.x, 8.4.x, 8.5.x and 8.6.x will be provided in addition
to the releases mentioned above. (If your site is on a Drupal 8 release older
than 8.4.x, it no longer receives security coverage and will not receive a
security update. The provided patches may work for your site, but upgrading
is strongly recommended as older Drupal versions contain other disclosed
security vulnerabilities.)

This release will not require a database update.

The CVE for this issue is CVE-2018-7602. The Drupal-specific identifier for
the issue will be SA-CORE-2018-004.

The Security Team or any other party is not able to release any more
information about this vulnerability until the announcement is made. The
announcement will be made public at https://www.drupal.org/security, over
Twitter, and in email for those who have subscribed to our email list. To
subscribe to the email list: login on Drupal.org, go to your user profile
page, and subscribe to the security newsletter on the Edit » My newsletters
tab.

Journalists interested in covering the story are encouraged to email
security-press at drupal.org to be sure they will get a copy of the
journalist-focused release. The Security Team will release a
journalist-focused summary email at the same time as the new code release and
advisory.
If you find a security issue, please report it at
https://www.drupal.org/security-team/report-issue.

[1] https://www.drupal.org/node/1173280
[2] https://www.drupal.org/sa-core-2018-002

_______________________________________________
Security-news mailing list
Security-news at drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

-- 
Khalid M. Baheyeldin
2bits.com, Inc.
Fast Reliable Drupal
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
Simplicity is the ultimate sophistication. -- anonymous