Drupal has released new versions that fix several critical security vulnerabilities. We strongly recommend upgrading your existing Drupal 7 and 8 sites.
The fixed vulnerabilities are listed below:
- Content moderation - Moderately critical - Access bypass - Drupal 8
- External URL injection through URL aliases - Moderately Critical - Open Redirect - Drupal 7 and Drupal 8
- Anonymous Open Redirect - Moderately Critical - Open Redirect - Drupal 8
- Injection in DefaultMailSystem::mail() - Critical - Remote Code Execution - Drupal 7 and Drupal 8
- Contextual Links validation - Critical - Remote Code Execution - Drupal 8
It is recommended that you upgrade your Drupal application to Drupal 7.60 and Drupal 8.6.2. We highly recommend creating a backup before proceeding. You can follow our Drupal, CiviCRM or Open Atrium documentation to learn how to upgrade your application and address this security issue.
For new application deployments, including those through the Bitnami Launchpad, we released Drupal 7.60 and 8.6.2, CiviCRM and Open Atrium containers, installers, virtual machines and cloud images that include the necessary fix to address these vulnerabilities.
If you have further questions about Bitnami Drupal or this security issue, please post to our community forum, where we will be happy to help.