Drupal has announced that they will be releasing security updates of Drupal 7.x, 8.4.x, and 8.5.x on April 25, 2018 between 9:00am – 11:00am PST that will fix a highly critical security vulnerability.
If you are the owner or administrator of a Drupal website, the Drupal Security Team urges you to reserve time for core updates during this time. Exploits may be developed within hours or days.
Security release announcements will appear on the Drupal.org security advisory page at https://www.drupal.org/security.
For those with Drupal 6, we are hoping there will be a community patch available, but we won’t know until the official updates are released. More information about Drupal 6 patches are located here: https://www.drupal.org/project/issues/d6lts
Security Risk: Critical
1. As soon as the patches are released on April 25, 2018, update your installation of Drupal to the patched version.
2. Depending on the nature of the vulnerability, if you are running a version that cannot be patched, you may need to consider taking your site offline until the vulnerability can be remediated.
Drupal websites hosted by UBCIT Web Services
If your Drupal website is hosted by UBC IT Web Services, this patch will be assessed and addressed once it is available.
Drupal websites hosted on UBCIT Shared Web Hosting
If your Drupal website is hosted on UBC IT Shared Web Hosting, you are responsible for patching your Drupal install. If you require assistance, please contact firstname.lastname@example.org.
If you have any questions, please contact email@example.com