- Detalji os-a: WN7
- Važnost: URG
- Operativni sustavi: W, M, U, L, O
- Kategorije: ALL, W08, W12, W16, HPQ, LRH, LDE, LSU, FBS, LFE, LGE, LUB, APL
View online: https://www.drupal.org/sa-core-2018-002
Project: Drupal core 
Security risk: *Highly critical* 21∕25
Vulnerability: Remote Code Execution
A remote code execution vulnerability exists within multiple subsystems of
Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple
attack vectors on a Drupal site, which could result in the site being
The security team has written an FAQ  about this issue.
Upgrade to the most recent version of Drupal 7 or 8 core.
* *If you are running 7.x, upgrade to Drupal 7.58 .* (If you are unable
to update immediately, you can attempt to apply this patch  to fix the
vulnerability until such time as you are able to completely update.)
* *If you are running 8.5.x, upgrade to Drupal 8.5.1 .* (If you are
unable to update immediately, you can attempt to apply this patch  to
fix the vulnerability until such time as you are able to completely
Drupal 8.3.x and 8.4.x are no longer supported and we don’t normally provide
security releases for unsupported minor releases . However, given the
potential severity of this issue, we /are/ providing 8.3.x and 8.4.x releases
that includes the fix for sites which have not yet had a chance to update to
Your site’s update report page will recommend the 8.5.x release even if you
are on 8.3.x or 8.4.x. Please take the time to update to a supported version
after installing this security update.
* If you are running 8.3.x, upgrade to Drupal 8.3.9  or apply this patch
* If you are running 8.4.x, upgrade to Drupal 8.4.6  or apply this
This issue also affects Drupal 8.2.x and earlier, which are no longer
supported. If you are running any of these versions of Drupal 8, update to a
more recent release and then follow the instructions above.
This issue also affects Drupal 6. Drupal 6 is End of Life. For more
information on Drupal 6 support please contact a D6LTS vendor .
* Jasper Mattsson 
* Jasper Mattsson 
* Samuel Mortenson  Provisional Drupal Security Team member
* David Rothstein  of the Drupal Security Team
* Jess (xjm)  of the Drupal Security Team
* Michael Hess  of the Drupal Security Team
* Lee Rowlands  of the Drupal Security Team
* Peter Wolanin  of the Drupal Security Team
* Alex Pott  of the Drupal Security Team
* David Snopek  of the Drupal Security Team
* Pere Orga  of the Drupal Security Team
* Neil Drumm  of the Drupal Security Team
* Cash Williams  of the Drupal Security Team
* Daniel Wehner 
* Tim Plunkett 
——– CONTACT AND MORE INFORMATION
The Drupal security team can be reached by email at security at drupal.org or
via the contact form.
Learn more about the Drupal Security team and their policies, writing secure
code for Drupal, and securing your site.
Security-news mailing list
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news