Today, April 23, 2018, the Drupal security team has announced that it will publish a new security patch on April 25, 2018 that will complement the one already released on March 28 of this year and which was classified as high criticality.
As in that case, the following is recommended:
- Sites on 8.2.x and 8.3.x must upgrade to version 8.4.x in order to apply the security fix.
- Sites on 8.4.x should immediately upgrade to version 8.4.8 which will be provided in the security advisory, and then plan an upgrade to the latest security version in 8.5.3 (As 8.4.x will be out of support soon)
- Sites on 7.x or 8.5.x can be updated immediately when the security advisory is released using the normal procedure.
If you are unable to upgrade for any reason, patches will be released for versions 8.4.x, 8.5.x, and 8.6.x (If your Drupal 8 site is on a version lower than 8.4.x, it is no longer covered by security updates, however patches may still work, if you don't know how to do this, you can count on our services to assist you).
This update does not require a database-level update, its CVE code is CVE-2018-7602 . The Drupal-specific identifier for this case is SA-CORE-2018-004.
At SeeD EM we have an action protocol with our clients that has been activated and is in the process of being implemented to solve the problem on the scheduled date.
If you have a site in Drupal 7.x or 8.x, we recommend taking the necessary actions to apply the patch on April 25 as soon as possible. If you want to rely on our experience, you can also contact us to provide you with specialized service.
This update will in no way affect the performance and smooth operation of the Drupal platform in your company, but it will help you stay secure and provide confidence to your users.