[kwlug-disc] [Security-news] Drupal 7 and 8 core critical release on April 25th, 2018 PSA-2018-003

Chamunks chamunks at gmail.com
Thu May 3 11:58:48 EDT 2018


Do we keep website snapshots of the KWLUG?  I imagine we must but I just
want to ask.

On Thu, May 3, 2018 at 11:24 AM Khalid Baheyeldin <kb at 2bits.com> wrote:

> That last one was weaponized within hours.
>
>
> https://www.bleepingcomputer.com/news/security/hackers-dont-give-site-owners-time-to-patch-start-exploiting-new-drupal-flaw-within-hours/
>
> On Mon, Apr 23, 2018 at 3:29 PM, Khalid Baheyeldin <kb at 2bits.com> wrote:
>
>> Another security release in two days between 12:00 and 14:00 (EDT).
>>
>> If you have a Drupal site, be prepared to apply it as soon as it comes
>> out.
>>
>>
>> ---------- Forwarded message ----------
>> From:  <security-news at drupal.org>
>> Date: Mon, Apr 23, 2018 at 1:09 PM
>> Subject: [Security-news] Drupal 7 and 8 core critical release on April
>> 25th, 2018 PSA-2018-003
>> To: security-news at drupal.org
>>
>>
>> View online: https://www.drupal.org/psa-2018-003
>>
>> There will be a security release of * Drupal 7.x, 8.4.x, and 8.5.x on
>> April
>> 25th, 2018 between 16:00 - 18:00 UTC*. This PSA is to notify that the
>> Drupal
>> core release is outside of the regular schedule [1] of security releases.
>> For
>> all security updates, the Drupal Security Team urges you to reserve time
>> for
>> core updates at that time because there is some risk that exploits might
>> be
>> developed within hours or days. Security release announcements will
>> appear on
>> the Drupal.org security advisory page.
>>
>> This security release is a follow-up to the one released as
>> SA-CORE-2018-002
>> [2] on March 28.
>>
>>   * Sites on 7.x or 8.5.x can immediately update when the advisory
>> isreleased
>>     using the normal procedure.
>>   * Sites on 8.4.x should immediately update to the 8.4.8 release that
>> willbe
>>     provided in the advisory, and then plan to update to 8.5.3 or the
>> latest
>>     security release as soon as possible (since 8.4.x no longer receives
>>     official security coverage).
>>
>> The security advisory will list the appropriate version numbers for each
>> branch. Your site's update report page will recommend the 8.5.x release
>> even
>> if you are on 8.4.x or an older release, but temporarily updating to the
>> provided backport for your site's current version will ensure you can
>> update
>> quickly without the possible side effects of a minor version update.
>>
>> Patches for Drupal 7.x, 8.4.x, 8.5.x and 8.6.x will be provided in
>> addition
>> to the releases mentioned above. (If your site is on a Drupal 8 release
>> older
>> than 8.4.x, it no longer receives security coverage and will not receive a
>> security update. The provided patches may work for your site, but
>> upgrading
>> is strongly recommended as older Drupal versions contain other disclosed
>> security vulnerabilities.)
>>
>> This release will not require a database update.
>>
>> The CVE for this issue is CVE-2018-7602. The Drupal-specific identifier
>> for
>> the issue will be SA-CORE-2018-004.
>>
>> The Security Team or any other party is not able to release any more
>> information about this vulnerability until the announcement is made. The
>> announcement will be made public at https://www.drupal.org/security, over
>> Twitter, and in email for those who have subscribed to our email list. To
>> subscribe to the email list: login on Drupal.org, go to your user profile
>> page, and subscribe to the security newsletter on the Edit » My
>> newsletters
>> tab.
>>
>> Journalists interested in covering the story are encouraged to email
>> security-press at drupal.org to be sure they will get a copy of the
>> journalist-focused release. The Security Team will release a
>> journalist-focused summary email at the same time as the new code release
>> and
>> advisory.
>> If you find a security issue, please report it at
>> https://www.drupal.org/security-team/report-issue.
>>
>>
>> [1] https://www.drupal.org/node/1173280
>> [2] https://www.drupal.org/sa-core-2018-002
>>
>> _______________________________________________
>> Security-news mailing list
>> Security-news at drupal.org
>> Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
>>
>>
>> --
>> Khalid M. Baheyeldin
>> 2bits.com, Inc.
>> Fast Reliable Drupal
>> Drupal optimization, development, customization and consulting.
>> Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
>> Simplicity is the ultimate sophistication. -- anonymous
>>
>
>
>
> --
> Khalid M. Baheyeldin
> 2bits.com, Inc.
> Fast Reliable Drupal
> Drupal optimization, development, customization and consulting.
> Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
> Simplicity is the ultimate sophistication. -- anonymous
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20180503/05a62588/attachment.htm>


More information about the kwlug-disc mailing list