Apologies for cross-posting. Cheers, Peter ---------- Forwarded message ---------- From: Mark Foster <...> Date: Thu, Mar 29, 2018 at 9:20 AM Subject: [NZLUG] [Fwd: [Security-news] Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002] To: nzlug(a)lists.nzoss.org.nz I know there's plenty of Drupal out there, and I don't usually forward these around, but in case you havn't heard... The Drupal team took the unusual step of warning that this was coming several days ago, that helps set the tone for the severity of this. I've taken the unusual step of disabling my own Drupal based website until I can attend to its update. Mark. ---------------------------- Original Message ---------------------------- Subject: [Security-news] Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002 From: security-news(a)drupal.org Date: Thu, March 29, 2018 8:21 am To: security-news(a)drupal.org -------------------------------------------------------------------------- View online: https://www.drupal.org/sa-core-2018-002 Project: Drupal core [1] Date: 2018-March-28 Security risk: *Highly critical* 21∕25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Default [2] Vulnerability: Remote Code Execution Description: CVE: CVE-2018-7600 A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised. The security team has written an FAQ [3] about this issue. Solution: Upgrade to the most recent version of Drupal 7 or 8 core. * *If you are running 7.x, upgrade to Drupal 7.58 [4].* (If you are unable to update immediately, you can attempt to apply this patch [5] to fix the vulnerability until such time as you are able to completely update.) * *If you are running 8.5.x, upgrade to Drupal 8.5.1 [6].* (If you are unable to update immediately, you can attempt to apply this patch [7] to fix the vulnerability until such time as you are able to completely update.) Drupal 8.3.x and 8.4.x are no longer supported and we don't normally provide security releases for unsupported minor releases [8]. However, given the potential severity of this issue, we /are/ providing 8.3.x and 8.4.x releases that includes the fix for sites which have not yet had a chance to update to 8.5.0. Your site's update report page will recommend the 8.5.x release even if you are on 8.3.x or 8.4.x. Please take the time to update to a supported version after installing this security update. * If you are running 8.3.x, upgrade to Drupal 8.3.9 [9] or apply this patch [10]. * If you are running 8.4.x, upgrade to Drupal 8.4.6 [11] or apply this patch [12]. This issue also affects Drupal 8.2.x and earlier, which are no longer supported. If you are running any of these versions of Drupal 8, update to a more recent release and then follow the instructions above. This issue also affects Drupal 6. Drupal 6 is End of Life. For more information on Drupal 6 support please contact a D6LTS vendor [13]. Reported By: * Jasper Mattsson [14] Fixed By: * Jasper Mattsson [15] * Samuel Mortenson [16] Provisional Drupal Security Team member * David Rothstein [17] of the Drupal Security Team * Jess (xjm) [18] of the Drupal Security Team * Michael Hess [19] of the Drupal Security Team * Lee Rowlands [20] of the Drupal Security Team * Peter Wolanin [21] of the Drupal Security Team * Alex Pott [22] of the Drupal Security Team * David Snopek [23] of the Drupal Security Team * Pere Orga [24] of the Drupal Security Team * Neil Drumm [25] of the Drupal Security Team * Cash Williams [26] of the Drupal Security Team * Daniel Wehner [27] * Tim Plunkett [28] -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached by email at security at drupal.org or via the contact form. Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site. [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://groups.drupal.org/security/faq-2018-002 [4] https://www.drupal.org/project/drupal/releases/7.58 [5] https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=2266d2a83db50e2f97682d9a0fb8a18e2722cba5 [6] https://www.drupal.org/project/drupal/releases/8.5.1 [7] https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f [8] https://www.drupal.org/core/release-cycle-overview [9] https://www.drupal.org/project/drupal/releases/8.3.9 [10] https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f [11] https://www.drupal.org/project/drupal/releases/8.4.6 [12] https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f [13] https://www.drupal.org/project/d6lts [14] https://www.drupal.org/u/Jasu_M [15] https://www.drupal.org/u/Jasu_M [16] https://www.drupal.org/user/2582268 [17] https://www.drupal.org/user/124982 [18] https://www.drupal.org/user/65776 [19] https://www.drupal.org/user/102818 [20] https://www.drupal.org/u/larowlan [21] https://www.drupal.org/user/49851 [22] https://www.drupal.org/u/alexpott [23] https://www.drupal.org/u/dsnopek [24] https://www.drupal.org/u/pere-orga [25] https://www.drupal.org/u/drumm [26] https://www.drupal.org/u/cashwilliams [27] https://www.drupal.org/u/dawehner [28] https://www.drupal.org/u/tim.plunkett _______________________________________________ Security-news mailing list Security-news(a)drupal.org Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news _______________________________________________ NZLUG mailing list NZLUG(a)lists.nzoss.org.nz http://lists.nzoss.org.nz/mailman/listinfo/nzlug -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 858-5174 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/