[Security-news] Drupal Core - 3rd-party libraries -SA-CORE-2018-005
security-news at drupal.org
security-news at drupal.org
Wed Aug 1 21:00:31 UTC 2018
View online: https://www.drupal.org/SA-CORE-2018-005
* Advisory ID: SA-CORE-2018-005
* Project: Drupal core [1]
* Version: 8.x
* CVE: CVE-2018-14773
* Date: 2018-August-01
-------- DESCRIPTION
---------------------------------------------------------
The Drupal project uses the Symfony library. The Symfony library has released
a security update that impacts Drupal. Refer to the Symfony security
advisory for the issue [2].
The same vulnerability also exists in the Zend Feed and Diactoros libraries
included in Drupal core; however, Drupal core does not use the vulnerable
functionality. If your site or module uses Zend Feed or Diactoros directly,
read the Zend Framework security advisory [3] and update or patch as needed.
The Drupal Security Team would like to to thank the Symfony and Zend Security
teams for their collaboration on this issue.
-------- VERSIONS AFFECTED
---------------------------------------------------
8.x versions before 8.5.6.
-------- SOLUTION
------------------------------------------------------------
Upgrade to Drupal 8.5.6.
Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive
security coverage.
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [4].
Learn more about the Drupal Security team and their policies [5], writing
secure code for Drupal [6], and securing your site [7].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [8]
[1] https://www.drupal.org/project/drupal
[2] https://symfony.com/cve-2018-14773
[3] https://framework.zend.com/security/advisory/ZF2018-01
[4] https://www.drupal.org/contact
[5] https://www.drupal.org/security-team
[6] https://www.drupal.org/writing-secure-code
[7] https://www.drupal.org/security/secure-configuration
[8] https://twitter.com/drupalsecurity
More information about the Security-news
mailing list