Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2018.0098 Pre-release advisory of security updates for Drupal 7 and 8 24 April 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Drupal Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2018-7602 Member content until: Thursday, May 24 2018 OVERVIEW "There will be a security release of Drupal 7.x, 8.4.x, and 8.5.x on April 25th, 2018 between 16:00 - 18:00 UTC." [1] This release is outside of the normal schedule of security releases. IMPACT The vendor has provided the following information: "The CVE for this issue is CVE-2018-7602. The Drupal-specific identifier for the issue will be SA-CORE-2018-004. The Security Team or any other party is not able to release any more information about this vulnerability until the announcement is made. The announcement will be made public at https://www.drupal.org/security, over Twitter, and in email for those who have subscribed to our email list." [1] MITIGATION According to the Drupal security team: "Patches for Drupal 7.x, 8.4.x, 8.5.x and 8.6.x will be provided in addition to the releases mentioned above. (If your site is on a Drupal 8 release older than 8.4.x, it no longer receives security coverage and will not receive a security update. The provided patches may work for your site, but upgrading is strongly recommended as older Drupal versions contain other disclosed security vulnerabilities.)" [1] REFERENCES [1] Drupal 7 and 8 core critical release on April 25th, 2018 PSA-2018-003 https://www.drupal.org/psa-2018-003 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWt6zuYx+lLeg9Ub1AQirYg//f2GJHS0YePUP1gH1hD3N7R+zCrsFUnr0 rNKv6Ghbyqi8f06m0IGSjQTy0P81NJ5pbcME5GqlVrvmVzLN7Hn4MZA1VtxP31t5 mCRwghi7kBlvJXyvRqTM5q0XXDBxp8VKHyKeKQKq0HZOYiiiFv1iM8iU4yB2ZBhF n1EHgyd9+7208O5sSfyPHsoKEGx4jD1jJR5XAGnYXP886QKZioGpa1HDqms94qxH DYVdMIjSfnorBis1Rf6VnbHu+RqOb1KFlTk2MnH0IxHUVoDL9mqX5pXb5gAqa1mC 2asFOG4BeSWxCdbeQb1q7vp/pvPzLnjQeIzGzTFWCG5E/mnGj2k06l+82H9Pzk9z LobY2ifOrrJtGCtnZk8+bVNfFEcfYiCSkgH2AvoJCsux6uDR5hE25QYCQWkMYUHN bPiAYp/toc4CSj6t2hKDb6soahTw2hTsWsdZw+kbtG0C73JC5/Df+uExH4XHKQPa h/WQmdn0c7P7Otg+cvxyfEzkrAkj+u/b8UIL1w46xF764pCgzo25vGlTTKKebXzq ad+KLtSGM9wObFIuS5Uv9Zmib2qjec3LMXlPQvd06xjN54n3fXDBieW4RrxxVCHJ V7eXbs7wpNtNMFcKCRVCU1Yr/tTgoLZ1ql2M5qHHKtSuGsAZn7pLte2KGHYtIE95 8puh/54x924= =QC+8 -----END PGP SIGNATURE-----