[kwlug-disc] [Security-news] Drupal 7 and 8 core critical release on April 25th, 2018 PSA-2018-003

Paul Nijjar paul_nijjar at yahoo.ca
Thu May 3 12:05:33 EDT 2018 

I updated KWLUG to 8.4.8 . Now Drupal wants me to upgrade to 8.5.3,
but Composer won't do it. In the past running the composer upgrade
commands has been enough to switch major release versions, but this
time it is not happening. 

Obviously this is on my shoulders to figure out. But have you heard of
other people running into such problems?

- Paul


On Thu, May 03, 2018 at 11:24:19AM -0400, Khalid Baheyeldin wrote:
> That last one was weaponized within hours.
> 
> https://www.bleepingcomputer.com/news/security/hackers-dont-give-site-owners-time-to-patch-start-exploiting-new-drupal-flaw-within-hours/
> 
> On Mon, Apr 23, 2018 at 3:29 PM, Khalid Baheyeldin <kb at 2bits.com> wrote:
> 
> > Another security release in two days between 12:00 and 14:00 (EDT).
> >
> > If you have a Drupal site, be prepared to apply it as soon as it comes out.
> >
> >
> > ---------- Forwarded message ----------
> > From:  <security-news at drupal.org>
> > Date: Mon, Apr 23, 2018 at 1:09 PM
> > Subject: [Security-news] Drupal 7 and 8 core critical release on April
> > 25th, 2018 PSA-2018-003
> > To: security-news at drupal.org
> >
> >
> > View online: https://www.drupal.org/psa-2018-003
> >
> > There will be a security release of * Drupal 7.x, 8.4.x, and 8.5.x on April
> > 25th, 2018 between 16:00 - 18:00 UTC*. This PSA is to notify that the
> > Drupal
> > core release is outside of the regular schedule [1] of security releases.
> > For
> > all security updates, the Drupal Security Team urges you to reserve time
> > for
> > core updates at that time because there is some risk that exploits might be
> > developed within hours or days. Security release announcements will appear
> > on
> > the Drupal.org security advisory page.
> >
> > This security release is a follow-up to the one released as
> > SA-CORE-2018-002
> > [2] on March 28.
> >
> >   * Sites on 7.x or 8.5.x can immediately update when the advisory
> > isreleased
> >     using the normal procedure.
> >   * Sites on 8.4.x should immediately update to the 8.4.8 release that
> > willbe
> >     provided in the advisory, and then plan to update to 8.5.3 or the
> > latest
> >     security release as soon as possible (since 8.4.x no longer receives
> >     official security coverage).
> >
> > The security advisory will list the appropriate version numbers for each
> > branch. Your site's update report page will recommend the 8.5.x release
> > even
> > if you are on 8.4.x or an older release, but temporarily updating to the
> > provided backport for your site's current version will ensure you can
> > update
> > quickly without the possible side effects of a minor version update.
> >
> > Patches for Drupal 7.x, 8.4.x, 8.5.x and 8.6.x will be provided in addition
> > to the releases mentioned above. (If your site is on a Drupal 8 release
> > older
> > than 8.4.x, it no longer receives security coverage and will not receive a
> > security update. The provided patches may work for your site, but upgrading
> > is strongly recommended as older Drupal versions contain other disclosed
> > security vulnerabilities.)
> >
> > This release will not require a database update.
> >
> > The CVE for this issue is CVE-2018-7602. The Drupal-specific identifier for
> > the issue will be SA-CORE-2018-004.
> >
> > The Security Team or any other party is not able to release any more
> > information about this vulnerability until the announcement is made. The
> > announcement will be made public at https://www.drupal.org/security, over
> > Twitter, and in email for those who have subscribed to our email list. To
> > subscribe to the email list: login on Drupal.org, go to your user profile
> > page, and subscribe to the security newsletter on the Edit � My newsletters
> > tab.
> >
> > Journalists interested in covering the story are encouraged to email
> > security-press at drupal.org to be sure they will get a copy of the
> > journalist-focused release. The Security Team will release a
> > journalist-focused summary email at the same time as the new code release
> > and
> > advisory.
> > If you find a security issue, please report it at
> > https://www.drupal.org/security-team/report-issue.
> >
> >
> > [1] https://www.drupal.org/node/1173280
> > [2] https://www.drupal.org/sa-core-2018-002
> >
> > _______________________________________________
> > Security-news mailing list
> > Security-news at drupal.org
> > Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
> >
> >
> > --
> > Khalid M. Baheyeldin
> > 2bits.com, Inc.
> > Fast Reliable Drupal
> > Drupal optimization, development, customization and consulting.
> > Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
> > Simplicity is the ultimate sophistication. -- anonymous
> >
> 
> 
> 
> -- 
> Khalid M. Baheyeldin
> 2bits.com, Inc.
> Fast Reliable Drupal
> Drupal optimization, development, customization and consulting.
> Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
> Simplicity is the ultimate sophistication. -- anonymous

> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org


-- 
http://pnijjar.freeshell.org

More information about the kwlug-disc mailing list