Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2018.0098
Pre-release advisory of security updates for Drupal 7 and 8
24 April 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Drupal
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Reduced Security -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2018-7602
Member content until: Thursday, May 24 2018
OVERVIEW
"There will be a security release of Drupal 7.x, 8.4.x, and 8.5.x on
April 25th, 2018 between 16:00 - 18:00 UTC." [1]
This release is outside of the normal schedule of security releases.
IMPACT
The vendor has provided the following information:
"The CVE for this issue is CVE-2018-7602. The Drupal-specific identifier for
the issue will be SA-CORE-2018-004.
The Security Team or any other party is not able to release any more
information about this vulnerability until the announcement is made. The
announcement will be made public at https://www.drupal.org/security, over
Twitter, and in email for those who have subscribed to our email list." [1]
MITIGATION
According to the Drupal security team:
"Patches for Drupal 7.x, 8.4.x, 8.5.x and 8.6.x will be provided in addition
to the releases mentioned above. (If your site is on a Drupal 8 release older
than 8.4.x, it no longer receives security coverage and will not receive a
security update. The provided patches may work for your site, but upgrading
is strongly recommended as older Drupal versions contain other disclosed
security vulnerabilities.)" [1]
REFERENCES
[1] Drupal 7 and 8 core critical release on April 25th, 2018
PSA-2018-003
https://www.drupal.org/psa-2018-003
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWt6zuYx+lLeg9Ub1AQirYg//f2GJHS0YePUP1gH1hD3N7R+zCrsFUnr0
rNKv6Ghbyqi8f06m0IGSjQTy0P81NJ5pbcME5GqlVrvmVzLN7Hn4MZA1VtxP31t5
mCRwghi7kBlvJXyvRqTM5q0XXDBxp8VKHyKeKQKq0HZOYiiiFv1iM8iU4yB2ZBhF
n1EHgyd9+7208O5sSfyPHsoKEGx4jD1jJR5XAGnYXP886QKZioGpa1HDqms94qxH
DYVdMIjSfnorBis1Rf6VnbHu+RqOb1KFlTk2MnH0IxHUVoDL9mqX5pXb5gAqa1mC
2asFOG4BeSWxCdbeQb1q7vp/pvPzLnjQeIzGzTFWCG5E/mnGj2k06l+82H9Pzk9z
LobY2ifOrrJtGCtnZk8+bVNfFEcfYiCSkgH2AvoJCsux6uDR5hE25QYCQWkMYUHN
bPiAYp/toc4CSj6t2hKDb6soahTw2hTsWsdZw+kbtG0C73JC5/Df+uExH4XHKQPa
h/WQmdn0c7P7Otg+cvxyfEzkrAkj+u/b8UIL1w46xF764pCgzo25vGlTTKKebXzq
ad+KLtSGM9wObFIuS5Uv9Zmib2qjec3LMXlPQvd06xjN54n3fXDBieW4RrxxVCHJ
V7eXbs7wpNtNMFcKCRVCU1Yr/tTgoLZ1ql2M5qHHKtSuGsAZn7pLte2KGHYtIE95
8puh/54x924=
=QC+8
-----END PGP SIGNATURE-----