View online: https://www.drupal.org/SA-CORE-2018-005
* Advisory ID: SA-CORE-2018-005 * Project: Drupal core [1] * Version: 8.x * CVE: CVE-2018-14773 * Date: 2018-August-01
-------- DESCRIPTION ---------------------------------------------------------
The Drupal project uses the Symfony library. The Symfony library has released a security update that impacts Drupal. Refer to the Symfony security advisory for the issue [2].
The same vulnerability also exists in the Zend Feed and Diactoros libraries included in Drupal core; however, Drupal core does not use the vulnerable functionality. If your site or module uses Zend Feed or Diactoros directly, read the Zend Framework security advisory [3] and update or patch as needed.
The Drupal Security Team would like to to thank the Symfony and Zend Security teams for their collaboration on this issue.
-------- VERSIONS AFFECTED ---------------------------------------------------
8.x versions before 8.5.6.
-------- SOLUTION ------------------------------------------------------------
Upgrade to Drupal 8.5.6.
Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.
-------- CONTACT AND MORE INFORMATION ----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [4].
Learn more about the Drupal Security team and their policies [5], writing secure code for Drupal [6], and securing your site [7].
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [8]
[1] https://www.drupal.org/project/drupal [2] https://symfony.com/cve-2018-14773 [3] https://framework.zend.com/security/advisory/ZF2018-01 [4] https://www.drupal.org/contact [5] https://www.drupal.org/security-team [6] https://www.drupal.org/writing-secure-code [7] https://www.drupal.org/security/secure-configuration [8] https://twitter.com/drupalsecurity