[kwlug-disc] [Security-news] Drupal 7 and 8 core critical release on April 25th, 2018 PSA-2018-003

Khalid Baheyeldin kb at 2bits.com
Thu May 3 11:24:19 EDT 2018 

That last one was weaponized within hours.

https://www.bleepingcomputer.com/news/security/hackers-dont-give-site-owners-time-to-patch-start-exploiting-new-drupal-flaw-within-hours/

On Mon, Apr 23, 2018 at 3:29 PM, Khalid Baheyeldin <kb at 2bits.com> wrote:

> Another security release in two days between 12:00 and 14:00 (EDT).
>
> If you have a Drupal site, be prepared to apply it as soon as it comes out.
>
>
> ---------- Forwarded message ----------
> From:  <security-news at drupal.org>
> Date: Mon, Apr 23, 2018 at 1:09 PM
> Subject: [Security-news] Drupal 7 and 8 core critical release on April
> 25th, 2018 PSA-2018-003
> To: security-news at drupal.org
>
>
> View online: https://www.drupal.org/psa-2018-003
>
> There will be a security release of * Drupal 7.x, 8.4.x, and 8.5.x on April
> 25th, 2018 between 16:00 - 18:00 UTC*. This PSA is to notify that the
> Drupal
> core release is outside of the regular schedule [1] of security releases.
> For
> all security updates, the Drupal Security Team urges you to reserve time
> for
> core updates at that time because there is some risk that exploits might be
> developed within hours or days. Security release announcements will appear
> on
> the Drupal.org security advisory page.
>
> This security release is a follow-up to the one released as
> SA-CORE-2018-002
> [2] on March 28.
>
>   * Sites on 7.x or 8.5.x can immediately update when the advisory
> isreleased
>     using the normal procedure.
>   * Sites on 8.4.x should immediately update to the 8.4.8 release that
> willbe
>     provided in the advisory, and then plan to update to 8.5.3 or the
> latest
>     security release as soon as possible (since 8.4.x no longer receives
>     official security coverage).
>
> The security advisory will list the appropriate version numbers for each
> branch. Your site's update report page will recommend the 8.5.x release
> even
> if you are on 8.4.x or an older release, but temporarily updating to the
> provided backport for your site's current version will ensure you can
> update
> quickly without the possible side effects of a minor version update.
>
> Patches for Drupal 7.x, 8.4.x, 8.5.x and 8.6.x will be provided in addition
> to the releases mentioned above. (If your site is on a Drupal 8 release
> older
> than 8.4.x, it no longer receives security coverage and will not receive a
> security update. The provided patches may work for your site, but upgrading
> is strongly recommended as older Drupal versions contain other disclosed
> security vulnerabilities.)
>
> This release will not require a database update.
>
> The CVE for this issue is CVE-2018-7602. The Drupal-specific identifier for
> the issue will be SA-CORE-2018-004.
>
> The Security Team or any other party is not able to release any more
> information about this vulnerability until the announcement is made. The
> announcement will be made public at https://www.drupal.org/security, over
> Twitter, and in email for those who have subscribed to our email list. To
> subscribe to the email list: login on Drupal.org, go to your user profile
> page, and subscribe to the security newsletter on the Edit » My newsletters
> tab.
>
> Journalists interested in covering the story are encouraged to email
> security-press at drupal.org to be sure they will get a copy of the
> journalist-focused release. The Security Team will release a
> journalist-focused summary email at the same time as the new code release
> and
> advisory.
> If you find a security issue, please report it at
> https://www.drupal.org/security-team/report-issue.
>
>
> [1] https://www.drupal.org/node/1173280
> [2] https://www.drupal.org/sa-core-2018-002
>
> _______________________________________________
> Security-news mailing list
> Security-news at drupal.org
> Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
>
>
> --
> Khalid M. Baheyeldin
> 2bits.com, Inc.
> Fast Reliable Drupal
> Drupal optimization, development, customization and consulting.
> Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
> Simplicity is the ultimate sophistication. -- anonymous
>



-- 
Khalid M. Baheyeldin
2bits.com, Inc.
Fast Reliable Drupal
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
Simplicity is the ultimate sophistication. -- anonymous
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20180503/21bd8299/attachment.htm>

More information about the kwlug-disc mailing list