[Security-news] Drupal Core - 3rd-party libraries -SA-CORE-2018-005

security-news at drupal.org security-news at drupal.org
Wed Aug 1 21:00:31 UTC 2018


View online: https://www.drupal.org/SA-CORE-2018-005

   * Advisory ID: SA-CORE-2018-005
   * Project: Drupal core [1]
   * Version: 8.x
   * CVE: CVE-2018-14773
   * Date: 2018-August-01

-------- DESCRIPTION
---------------------------------------------------------

The Drupal project uses the Symfony library. The Symfony library has released
a security update that impacts Drupal. Refer to the Symfony security
advisory for the issue [2].

The same vulnerability also exists in the Zend Feed and Diactoros libraries
included in Drupal core; however, Drupal core does not use the vulnerable
functionality. If your site or module uses Zend Feed or Diactoros directly,
read the Zend Framework security advisory [3] and update or patch as needed.

The Drupal Security Team would like to to thank the Symfony and Zend Security
teams for their collaboration on this issue.

-------- VERSIONS AFFECTED
---------------------------------------------------

8.x versions before 8.5.6.

-------- SOLUTION
------------------------------------------------------------

Upgrade to Drupal 8.5.6.

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive
security coverage.

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [4].

Learn more about the Drupal Security team and their policies [5], writing
secure code for Drupal [6], and securing your site [7].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [8]


[1] https://www.drupal.org/project/drupal
[2] https://symfony.com/cve-2018-14773
[3] https://framework.zend.com/security/advisory/ZF2018-01
[4] https://www.drupal.org/contact
[5] https://www.drupal.org/security-team
[6] https://www.drupal.org/writing-secure-code
[7] https://www.drupal.org/security/secure-configuration
[8] https://twitter.com/drupalsecurity



More information about the Security-news mailing list