Significant Drupal security vulnerability to be made public April 25
April 24, 2018
Garry Zacheiss
Share |
drupal logo
drupal.org

https://www.drupal.org/psa-2018-003

This issue is expected to follow a disclosure process similar to the Drupal issue released on March 28 of this year. Note: This is a separate issue from last month’s announcement and additional action is required for Drupal site administrators. While no additional details are available at this time, it is expected this issue will impact all currently deployed versions of Drupal. Drupal is a widely deployed technology at MIT, and Information Systems & Technology (IS&T) is taking steps to prepare for the release of additional information about this issue, similar to those that were taken in March:

  • Web sites deployed via IS&T's Drupal Cloud service will be patched to address this vulnerability on April 25th; no additional action is required on the part of Drupal Cloud site administrators.
  • Drupal sites hosted via IS&T's managed server hosting will likewise be secured against this vulnerability. Configuration for these sites is more diverse than Drupal Cloud, and IS&T will reach out to hosting customers to discuss specifics as additional details become available.

For Drupal sites at MIT not managed by IS&T or those hosted externally, we strongly recommend following up with your support provider to discuss options for securing your site once patches are available. Maintainers of Drupal sites not hosted by IS&T should plan to dedicate time on April 25 for patching and testing their site, and may wish to ensure prior to that time that the site is up to date on Drupal core patches.

If you have any questions or require assistance, contact the IS&T Service Desk.