View online: https://www.drupal.org/sa-core-2019-009
Project: Drupal core [1] Version: 8.8.x-dev8.7.x-dev Date: 2019-December-18 Security risk: *Moderately critical* 12∕25 AC:None/A:None/CI:None/II:None/E:Theoretical/TD:All [2] Vulnerability: Denial of Service
Description: A visit to install.php can cause cached data to become corrupted. This could cause a site to be impaired until caches are rebuilt.
Solution: Install the latest version:
* If you are using Drupal 8.7.x, upgrade to Drupal 8.7.11 [3]. * If you are using Drupal 8.8.x, upgrade to Drupal 8.8.1 [4].
Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.
To mitigate this issue in any version of Drupal 8, you can also block access to install.php if it's not required.
Reported By: * Drew Webber [5] of the Drupal Security Team
Fixed By: * Drew Webber [6] of the Drupal Security Team * Lee Rowlands [7] of the Drupal Security Team * Heine [8] of the Drupal Security Team * Alex Pott [9] of the Drupal Security Team * Jess [10] of the Drupal Security Team * Damien McKenna [11] of the Drupal Security Team * David Snopek [12] of the Drupal Security Team * Nathaniel Catchpole [13] of the Drupal Security Team * Greg Knaddison [14] of the Drupal Security Team
[1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/drupal/releases/8.7.11 [4] https://www.drupal.org/project/drupal/releases/8.8.1 [5] https://www.drupal.org/user/255969 [6] https://www.drupal.org/user/255969 [7] https://www.drupal.org/user/395439 [8] https://www.drupal.org/user/17943 [9] https://www.drupal.org/user/157725 [10] https://www.drupal.org/user/65776 [11] https://www.drupal.org/user/108450 [12] https://www.drupal.org/user/266527 [13] https://www.drupal.org/user/35733 [14] https://www.drupal.org/user/36762