Drupal announces release of critical update for versions 7 and 8
Drupal has again warned against a patch for a critical leak in version 7 and 8 of its content management system. It will be out of normal update planning on 25 April. Where Drupal spoke at the earlier leak of highly critical it uses here critical .
Therefore the seriousness of the new vulnerability with characteristic CVE-2018-7602, to be less than that of the leak for which the Drupal team issued patches at the end of March. The seriousness is such that the team deems it necessary to announce the release, which takes place outside the normal schedule. The team does not give details, but writes that it is a follow-up of the previous leak and that it is again possible that exploits will be developed within a few hours or days.
The release will take place on 25 April. between 16:00 and 18:00 UTC, which means 18:00 and 20:00 local time. The update comes out for versions 7.x, 8.4.x and 8.5.x, where users of the first and last release can update in a normal way. The team recommends users of version 8.4.x to first update to 8.4.8 and then later to a supported version such as 8.5.3. At the stated time, the Drupal team wants to make more information available on its security page . No database update would be required.
In the previous leak, the team also warned that exploits would be developed, which then also happened. Although this took a little longer than expected. The team warned on April 13 for ‘automated attacks’ on unpatched Drupal versions. Subsequently warned a security company a week ago that variants of the Tsunami botnet were targeting unpatched sites.
The release will take place on 25 April. between 16:00 and 18:00 UTC, which means 18:00 and 20:00 local time. The update comes out for versions 7.x, 8.4.x and 8.5.x, where users of the first and last release can update in a normal way. The team recommends users of version 8.4.x to first update to 8.4.8 and then later to a supported version such as 8.5.3. At the stated time, the Drupal team wants to make more information available on its security page . No database update would be required.
In the previous leak, the team also warned that exploits would be developed, which then also happened. Although this took a little longer than expected. The team warned on April 13 for ‘automated attacks’ on unpatched Drupal versions. Subsequently warned a security company a week ago that variants of the Tsunami botnet were targeting unpatched sites.