Drupal developers are being asked to give themselves extra time next week to fix a “highly critical” flaw in Drupal 7 and 8 core.
In an advisory sent to developers on Wednesday, Drupal notified them that, “there will be a security release of Drupal 7.x, 8.3.x, 8.4.x, and 8.5.x on March 28th 2018 between 18:00 – 19:30 UTC.” The security advisory did not identify the bug, only describing it as a “highly critical security vulnerability.”
“The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days,” according to the post.
Drupal is a content management system (CMS) that runs on over one million websites and is popular with e-commerce focused businesses. The CMS is the second most popular web management tool behind WordPress, and followed by Joomla.
The advisory said despite the fact Drupal 8.3.x and 8.4.x are not supported and that Drupal doesn’t “normally provide security releases for unsupported minor releases,” it will next week “given the potential severity of this issue.”
“We are providing 8.3.x and 8.4.x releases that include the fix for sites which have not yet had a chance to update to 8.5.0,” Drupal said. The upcoming security advisory will list the appropriate version numbers for all three Drupal 8 branches, according to the advisory.
Developers behind Drupal told Threatpost that Drupal 6, with about 65,000 sites still running the version, are also affected by this security issue. They added that the D6LTS project will provide an upcoming patch for Drupal 6 as well.
Specifics regarding the patches and version numbers include:
* Sites on 8.3.x should immediately update to the 8.3.x release that will be provided in the advisory, and then plan to update to the latest 8.5.x security release in the next month.
* Sites on 8.4.x should immediately update to the 8.4.x release that will be provided in the advisory, and then plan to update to the latest 8.5.x security release in the next month.
* Sites on 7.x or 8.5.x can immediately update when the advisory is released using the normal procedure.
(This article was updated 3/26/2018 with information regarding Drupal 6)