
<div dir="ltr">Prezados,<div><br></div><div>O CSIRT Unicamp recomenda fortemente que os sites que utilizam Drupal sejam atualizados o mais urgente possível, visto a criticidade desta vulnerabilidade.</div><div><br></div><div><br></div><div><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername"></b> <span dir="ltr"><<a href="mailto:security-news@drupal.org">security-news@drupal.org</a>></span><br>Date: 2018-03-28 16:21 GMT-03:00<br>Subject: [Security-news] Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002<br>To: <a href="mailto:security-news@drupal.org">security-news@drupal.org</a><br><br><br>View online: <a href="https://www.drupal.org/sa-core-2018-002" rel="noreferrer" target="_blank">https://www.drupal.org/sa-core<wbr>-2018-002</a><br>

<br>

Project: Drupal core [1]<br>

Date: 2018-March-28<br>

Security risk: *Highly critical* 21∕25<br>

AC:None/A:None/CI:All/II:All/E<wbr>:Theoretical/TD:Default [2]<br>

Vulnerability: Remote Code Execution<br>

<br>

Description: <br>

CVE: CVE-2018-7600<br>

<br>

A remote code execution vulnerability exists within multiple subsystems of<br>

Drupal 7.x and 8.x.  This potentially allows attackers to exploit multiple<br>

attack vectors on a Drupal site, which could result in the site being<br>

completely compromised.<br>

<br>

The security team has written an  FAQ [3] about this issue.<br>

<br>

Solution: <br>

Upgrade to the most recent version of Drupal 7 or 8 core.<br>

<br>

  * *If you are running 7.x, upgrade to Drupal 7.58 [4].* (If you are unable<br>

    to update immediately, you can attempt to apply this patch [5] to fix the<br>

    vulnerability until such time as you are able to completely update.)<br>

  * *If you are running 8.5.x, upgrade to Drupal 8.5.1 [6].* (If you are<br>

    unable to update immediately, you can attempt to apply this patch [7] to<br>

    fix the vulnerability until such time as you are able to completely<br>

    update.)<br>

<br>

Drupal 8.3.x and 8.4.x are no longer supported and we don't normally provide<br>

security releases for unsupported minor releases [8]. However, given the<br>

potential severity of this issue, we /are/ providing 8.3.x and 8.4.x releases<br>

that includes the fix for sites which have not yet had a chance to update to<br>

8.5.0.<br>

<br>

Your site's update report page will recommend the 8.5.x release even if you<br>

are on 8.3.x or 8.4.x. Please take the time to update to a supported version<br>

after installing this security update.<br>

<br>

  * If you are running 8.3.x, upgrade to Drupal 8.3.9 [9] or apply this patch<br>

    [10].<br>

  * If you are running 8.4.x, upgrade to Drupal 8.4.6 [11] or apply thispatch<br>

    [12].<br>

<br>

This issue also affects Drupal 8.2.x and earlier, which are no longer<br>

supported. If you are running any of these versions of Drupal 8, update to a<br>

more recent release and then follow the instructions above.<br>

<br>

This issue also affects Drupal 6.  Drupal 6 is End of Life. For more<br>

information on Drupal 6 support please contact a D6LTS vendor [13].<br>

<br>

Reported By: <br>

  * Jasper Mattsson [14]<br>

<br>

Fixed By: <br>

  * Jasper Mattsson [15]<br>

  * Samuel Mortenson  [16] Provisional  Drupal Security Team member<br>

  * David Rothstein  [17] of the Drupal Security Team<br>

  * Jess  (xjm) [18] of the Drupal Security Team<br>

  * Michael Hess  [19] of the Drupal Security Team<br>

  * Lee Rowlands  [20] of the Drupal Security Team<br>

  * Peter Wolanin  [21] of the Drupal Security Team<br>

  * Alex Pott  [22] of the Drupal Security Team<br>

  * David Snopek [23] of the Drupal Security Team<br>

  * Pere Orga  [24] of the Drupal Security Team<br>

  * Neil Drumm [25]  of the Drupal Security Team<br>

  * Cash Williams  [26] of the Drupal Security Team<br>

  * Daniel Wehner [27]<br>

  * Tim Plunkett [28]<br>

<br>

-------- CONTACT AND MORE INFORMATION<br>

------------------------------<wbr>----------<br>

<br>

The Drupal security team can be reached by email at security at <a href="http://drupal.org" rel="noreferrer" target="_blank">drupal.org</a> or<br>

via the contact form.<br>

<br>

Learn more about the Drupal Security team and their policies, writing secure<br>

code for Drupal, and securing your site.<br>

<br>

<br>

[1] <a href="https://www.drupal.org/project/drupal" rel="noreferrer" target="_blank">https://www.drupal.org/project<wbr>/drupal</a><br>

[2] <a href="https://www.drupal.org/security-team/risk-levels" rel="noreferrer" target="_blank">https://www.drupal.org/securit<wbr>y-team/risk-levels</a><br>

[3] <a href="https://groups.drupal.org/security/faq-2018-002" rel="noreferrer" target="_blank">https://groups.drupal.org/secu<wbr>rity/faq-2018-002</a><br>

[4] <a href="https://www.drupal.org/project/drupal/releases/7.58" rel="noreferrer" target="_blank">https://www.drupal.org/project<wbr>/drupal/releases/7.58</a><br>

[5]<br>

<a href="https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=2266d2a83db50e2f97682d9a0fb8a18e2722cba5" rel="noreferrer" target="_blank">https://cgit.drupalcode.org/dr<wbr>upal/rawdiff/?h=7.x&id=2266d2a<wbr>83db50e2f97682d9a0fb8a18e2722c<wbr>ba5</a><br>

[6] <a href="https://www.drupal.org/project/drupal/releases/8.5.1" rel="noreferrer" target="_blank">https://www.drupal.org/project<wbr>/drupal/releases/8.5.1</a><br>

[7]<br>

<a href="https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f" rel="noreferrer" target="_blank">https://cgit.drupalcode.org/dr<wbr>upal/rawdiff/?h=8.5.x&id=5ac87<wbr>38fa69df34a0635f0907d661b509ff<wbr>9a28f</a><br>

[8] <a href="https://www.drupal.org/core/release-cycle-overview" rel="noreferrer" target="_blank">https://www.drupal.org/core/re<wbr>lease-cycle-overview</a><br>

[9] <a href="https://www.drupal.org/project/drupal/releases/8.3.9" rel="noreferrer" target="_blank">https://www.drupal.org/project<wbr>/drupal/releases/8.3.9</a><br>

[10]<br>

<a href="https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f" rel="noreferrer" target="_blank">https://cgit.drupalcode.org/dr<wbr>upal/rawdiff/?h=8.5.x&id=5ac87<wbr>38fa69df34a0635f0907d661b509ff<wbr>9a28f</a><br>

[11] <a href="https://www.drupal.org/project/drupal/releases/8.4.6" rel="noreferrer" target="_blank">https://www.drupal.org/project<wbr>/drupal/releases/8.4.6</a><br>

[12]<br>

<a href="https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f" rel="noreferrer" target="_blank">https://cgit.drupalcode.org/dr<wbr>upal/rawdiff/?h=8.5.x&id=5ac87<wbr>38fa69df34a0635f0907d661b509ff<wbr>9a28f</a><br>

[13] <a href="https://www.drupal.org/project/d6lts" rel="noreferrer" target="_blank">https://www.drupal.org/project<wbr>/d6lts</a><br>

[14] <a href="https://www.drupal.org/u/Jasu_M" rel="noreferrer" target="_blank">https://www.drupal.org/u/Jasu_<wbr>M</a><br>

[15] <a href="https://www.drupal.org/u/Jasu_M" rel="noreferrer" target="_blank">https://www.drupal.org/u/Jasu_<wbr>M</a><br>

[16] <a href="https://www.drupal.org/user/2582268" rel="noreferrer" target="_blank">https://www.drupal.org/user/25<wbr>82268</a><br>

[17] <a href="https://www.drupal.org/user/124982" rel="noreferrer" target="_blank">https://www.drupal.org/user/12<wbr>4982</a><br>

[18] <a href="https://www.drupal.org/user/65776" rel="noreferrer" target="_blank">https://www.drupal.org/user/65<wbr>776</a><br>

[19] <a href="https://www.drupal.org/user/102818" rel="noreferrer" target="_blank">https://www.drupal.org/user/10<wbr>2818</a><br>

[20] <a href="https://www.drupal.org/u/larowlan" rel="noreferrer" target="_blank">https://www.drupal.org/u/larow<wbr>lan</a><br>

[21] <a href="https://www.drupal.org/user/49851" rel="noreferrer" target="_blank">https://www.drupal.org/user/49<wbr>851</a><br>

[22] <a href="https://www.drupal.org/u/alexpott" rel="noreferrer" target="_blank">https://www.drupal.org/u/alexp<wbr>ott</a><br>

[23] <a href="https://www.drupal.org/u/dsnopek" rel="noreferrer" target="_blank">https://www.drupal.org/u/dsnop<wbr>ek</a><br>

[24] <a href="https://www.drupal.org/u/pere-orga" rel="noreferrer" target="_blank">https://www.drupal.org/u/pere-<wbr>orga</a><br>

[25] <a href="https://www.drupal.org/u/drumm" rel="noreferrer" target="_blank">https://www.drupal.org/u/drumm</a><br>

[26] <a href="https://www.drupal.org/u/cashwilliams" rel="noreferrer" target="_blank">https://www.drupal.org/u/cashw<wbr>illiams</a><br>

[27] <a href="https://www.drupal.org/u/dawehner" rel="noreferrer" target="_blank">https://www.drupal.org/u/daweh<wbr>ner</a><br>

[28] <a href="https://www.drupal.org/u/tim.plunkett" rel="noreferrer" target="_blank">https://www.drupal.org/u/tim.p<wbr>lunkett</a><br>

<br>

______________________________<wbr>_________________<br>

Security-news mailing list<br>

<a href="mailto:Security-news@drupal.org" target="_blank">Security-news@drupal.org</a><br>

Unsubscribe at <a href="https://lists.drupal.org/mailman/listinfo/security-news" rel="noreferrer" target="_blank">https://lists.drupal.org/mailm<wbr>an/listinfo/security-news</a><br>

</div><br></div></div>