Drupal Announces Again Critical Update Release for Versions 7 and 8
Drupal has again warned of a patch for a critical vulnerability in versions 7 and 8 of its content management system. It will be released on April 25 outside the normal update schedule. Where Drupal spoke of highly critical in the previous leak, it uses the designation critical here.
As a result, the severity of the new vulnerability, identified as CVE-2018-7602, appears to be less than that of the vulnerability for which the Drupal team released patches at the end of March. The seriousness is such that the team deems it necessary to announce the release, which takes place outside the normal schedule. The team does not provide details, but writes that it is a follow-up to the previous leak and that it is again possible that exploits for it will be developed within hours or days.
The release will take place on April 25 between 16:00 and 18:00 UTC, which equates to 18:00 and 20:00 local time. The update comes for versions 7.x, 8.4.x and 8.5.x, with users of the former and latter releases being able to update normally. The team recommends that users of version 8.4.x update to 8.4.8 first and then later to a supported version such as 8.5.3. At the said time, the Drupal team wants to make more information available on its security page. No database update would be required.
In the previous leak, the team also warned that exploits would be developed, which they subsequently did. Although this took a little longer than expected. The team warned on April 13 of “automated attacks” on unpatched Drupal versions. Thereafter warned a security company a week ago that variants of the Tsunami botnet targeted unpatched sites.