Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0820 Drupal 7 and 8 core highly critical release on March 28th 22 March 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Drupal Publisher: Drupal Operating System: UNIX variants (UNIX, Linux, OSX) Windows BSD variants Impact/Access: Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade Original Bulletin: https://www.drupal.org/psa-2018-001 - --------------------------BEGIN INCLUDED TEXT-------------------- Drupal 7 and 8 core highly critical release on March 28th, 2018 PSA-2018-001 Posted by Drupal Security Team on 21 Mar 2018 at 19:13 UTC o Advisory ID: DRUPAL-PSA-2018-001 o Project: Drupal Core o Version: 7.x, 8.x o Date: 2018-March-21 Description There will be a security release of Drupal 7.x, 8.3.x, 8.4.x, and 8.5.x on March 28th 2018 between 18:00 - 19:30 UTC, one week from the publication of this document, that will fix a highly critical security vulnerability. The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days. Security release announcements will appear on the Drupal.org security advisory page. While Drupal 8.3.x and 8.4.x are no longer supported and we don't normally provide security releases for unsupported minor releases, given the potential severity of this issue, we are providing 8.3.x and 8.4.x releases that include the fix for sites which have not yet had a chance to update to 8.5.0. The Drupal security team strongly recommends the following: o Sites on 8.3.x should immediately update to the 8.3.x release that will be provided in the advisory, and then plan to update to the latest 8.5.x security release in the next month. o Sites on 8.4.x should immediately update to the 8.4.x release that will be provided in the advisory, and then plan to update to the latest 8.5.x security release in the next month. o Sites on 7.x or 8.5.x can immediately update when the advisory is released using the normal procedure. The security advisory will list the appropriate version numbers for all three Drupal 8 branches. Your site's update report page will recommend the 8.5.x release even if you are on 8.3.x or 8.4.x, but temporarily updating to the provided backport for your site's current version will ensure you can update quickly without the possible side effects of a minor version update. The Security Team or any other party is not able to release any more information about this vulnerability until the announcement is made. The announcement will be made public at https://www.drupal.org/security, over Twitter, and in email for those who have subscribed to our email list. To subscribe to the email list: log in on drupal.org, go to your user profile page and subscribe to the security newsletter on the Edit >> My newsletters tab. Journalists interested in covering the story are encouraged to email security-press@drupal.org to be sure they will get a copy of the journalist-focused release. The Security Team will release a journalist-focused summary email at the same time as the new code release and advisory. If you find a security issue, please report it at https://www.drupal.org/ security-team/report-issue. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWrNOmox+lLeg9Ub1AQhFPw//fzkRiPv73YWDw2kCigN3vnamUUAd9t8J a9hsECKyvzS5LrEm1iW/bB0XbX8qGy0zsknz1B8m1dO4phJpmHD0Omwqzzo9pBzU zCuCyp9nCVvkjEcN4ZvdeK0Ve9/uoArxQ36Svs186aCujsLrYOlFIn+CzGiLm3uR v0uQnSYRAI534Hmx4OvacXMP2uFrkppWRdB7V1xS6YnI9O9l+CYjGWbro6+h7HUX z3lJ/vX+DXa8pMuho7xERc9vD0QXHcn8miYYrWHAemB3lQEhONlKH2mecu+4+5Qd HyDIXVU4q+sF0XSzpN4puxgs7ZF4oJi69XNrTukAfnbNe9sQ5MoUKBnV9qsctqbg dt0nFRgDWDMvV16W0pAt1CGhjCUsSJ1RrwYj+hQTN8NxiqgxSD8GG2J2r5I4BHoT 9Kx3AgRFdslwB/34bj0yDsKIHhBi2dZqxYg6ZWugM4gRK80i8O2Dzwafjtejf2bV 9iAMDiwUuA0b5NOOgzjasTjv/ZmFy1T+PmvhQHOy1PUncUxRx9vPekF9uck9nrN3 xWaxqCM7Ioahcw8jjHPpvh5n6yeYEpklwb0LIoc097gN6ycPghoeoH8kZBpNelpm wkpZqtAhawBRV2j8zTAfRHxvqu20tgAY499bQ+uKuA1Buy48HAIfgUP68i551wIP d1ne/x9jbTE= =t9i7 -----END PGP SIGNATURE-----