[Security-news] Drupal 8 core upcoming critical release PSA-2017-001

security-news at drupal.org security-news at drupal.org
Mon Apr 17 16:08:18 UTC 2017 

View online: https://www.drupal.org/psa-2017-001

   * Advisory ID: DRUPAL-PSA-2017-001
   * Project: Drupal core
   * Version: 8.x
   * Date: 2017-Apr-17

-------- DESCRIPTION
---------------------------------------------------------

There will be a security release of Drupal 8.3.x and 8.2.x on *April 19th
2017 between
17:00 - 18:00 UTC* that will fix a critical vulnerability. While we don't
normally provide security releases for unsupported minor releases [1], given
the potential severity, the 8.2.x release includes the fix for sites which
have not had a chance to update to 8.3.0. The Drupal Security Team urges you
to reserve time for core updates at that time because exploits are expected
to be developed within hours or days. Security release announcements will
appear at the standard announcement locations [2].

This vulnerability does not affect all Drupal 8 sites; it only affects sites
with certain configurations.  It requires authenticated user access to
exploit.  The security release announcement made on April 19th 2017, will
make it clear which configurations are affected. If this vulnerability
affects your site, you will need to update.  Please set aside time on
Wednesday to look into this update.

Neither the Security Team, nor Security Team members, nor any Drupal-related
company are able to release any more information about this vulnerability
until the announcement is made in accordance with our security policies [3]
and responsible disclosure best practices [4].
.... Drupal 7 core is not affected by this issue.

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at Drupal.org or via the
contact form at https://www.drupal.org/contact [5].

Learn more about the Drupal Security team and their policies [6], writing
secure code for Drupal [7], and  securing your site [8].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [9].


[1] https://www.drupal.org/core/release-cycle-overview
[2] https://www.drupal.org/security
[3]
https://www.drupal.org/drupal-security-team/security-team-procedures/drupal-security-team-disclosure-policy-for-security
[4] https://en.wikipedia.org/wiki/Responsible_disclosure
[5] https://www.drupal.org/contact
[6] https://www.drupal.org/security-team
[7] https://www.drupal.org/writing-secure-code
[8] https://www.drupal.org/security/secure-configuration
[9] https://twitter.com/drupalsecurity

More information about the Security-news mailing list