View online: https://www.drupal.org/SA-CORE-2018-005 * Advisory ID: SA-CORE-2018-005 * Project: Drupal core [1] * Version: 8.x * CVE: CVE-2018-14773 * Date: 2018-August-01 -------- DESCRIPTION --------------------------------------------------------- The Drupal project uses the Symfony library. The Symfony library has released a security update that impacts Drupal. Refer to the Symfony security advisory for the issue [2]. The same vulnerability also exists in the Zend Feed and Diactoros libraries included in Drupal core; however, Drupal core does not use the vulnerable functionality. If your site or module uses Zend Feed or Diactoros directly, read the Zend Framework security advisory [3] and update or patch as needed. The Drupal Security Team would like to to thank the Symfony and Zend Security teams for their collaboration on this issue. -------- VERSIONS AFFECTED --------------------------------------------------- 8.x versions before 8.5.6. -------- SOLUTION ------------------------------------------------------------ Upgrade to Drupal 8.5.6. Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage. -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [4]. Learn more about the Drupal Security team and their policies [5], writing secure code for Drupal [6], and securing your site [7]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [8] [1] https://www.drupal.org/project/drupal [2] https://symfony.com/cve-2018-14773 [3] https://framework.zend.com/security/advisory/ZF2018-01 [4] https://www.drupal.org/contact [5] https://www.drupal.org/security-team [6] https://www.drupal.org/writing-secure-code [7] https://www.drupal.org/security/secure-configuration [8] https://twitter.com/drupalsecurity