Thursday, October 18, 2018

Drupal 8.6.2 and 7.60 critical releases (SA-CORE-2018-006)

Drupal has released new versions that fix several critical security vulnerabilities. We strongly recommend upgrading your existing Drupal 7 and 8 sites.

The fixed vulnerabilities are listed below:

  • Content moderation - Moderately critical - Access bypass - Drupal 8
  • External URL injection through URL aliases - Moderately Critical - Open Redirect - Drupal 7 and Drupal 8
  • Anonymous Open Redirect - Moderately Critical - Open Redirect - Drupal 8
  • Injection in DefaultMailSystem::mail() - Critical - Remote Code Execution - Drupal 7 and Drupal 8
  • Contextual Links validation - Critical - Remote Code Execution - Drupal 8

It is recommended that you upgrade your Drupal application to Drupal 7.60 and Drupal 8.6.2. We highly recommend creating a backup before proceeding. You can follow our DrupalCiviCRM or Open Atrium documentation to learn how to upgrade your application and address this security issue.

For new application deployments, including those through the Bitnami Launchpad, we released Drupal 7.60 and 8.6.2, CiviCRM and Open Atrium containersinstallersvirtual machines and cloud images that include the necessary fix to address these vulnerabilities.

If you have further questions about Bitnami Drupal or this security issue, please post to our community forum, where we will be happy to help.