Today is the admins of an unscheduled working day.
Drupal developers have warned that they are preparing to urgently release a security update for all supported branches of the site management system. Patches will be released on May 20 in the interval from 17:00 to 21:00 on the UTC, and the vulnerability has already received the status of “extremely critical”.
The Drupal security team urged administrators to set out time in advance to install updates. According to the developers, after the corrections are published, the attackers will be able to create working exploits in just a few hours or days. The problem does not affect all configurations of sites, but the developers advise checking the resources immediately after the release of updates. Information on how to reduce the risk will appear along with the security bulletin.
The corrections will be prepared for all supported Drupal Core branches, including versions 11.3.x, 11.2.x, 10.6.x and 10.5.x. Site owners were advised to upgrade in advance to the latest available fixes inside their branches to avoid additional problems when you have to install an urgent patch.
Due to the gravity of the vulnerability, the Drupal team will also release updates for outdated branches of 11.1.x and 10.4.x, although usually support for such versions is already stopped. Site owners on Drupal 11.0 and 11.1 were advised to upgrade to at least version 11.1.9. For diving Drupal 10.0-10.4, a transition is recommended at least to Drupal 10.4.4.
For fully unsupported Drupal 8 and Drupal 9, there will be no ready-made updates. Instead, developers will publish separate correction files for Drupal 8.9 and 9.5. Such patches will have to be installed manually, and the project team warned that the fixes can work unstable and cause new errors.
The developers also recalled that the Drupal 8 and 9 contain many other known vulnerabilities that are no longer corrected. Owners of such sites were recommended to go at least to Drupal 10.6 as soon as possible. Drupal 7, according to the project team, is not affected.
Details of the problem have not yet been disclosed. The vulnerability will be described in detail, and instructions for protecting sites will be published on May 20 on the official Drupal security portal.
Drupal developers have warned that they are preparing to urgently release a security update for all supported branches of the site management system. Patches will be released on May 20 in the interval from 17:00 to 21:00 on the UTC, and the vulnerability has already received the status of “extremely critical”.
The Drupal security team urged administrators to set out time in advance to install updates. According to the developers, after the corrections are published, the attackers will be able to create working exploits in just a few hours or days. The problem does not affect all configurations of sites, but the developers advise checking the resources immediately after the release of updates. Information on how to reduce the risk will appear along with the security bulletin.
The corrections will be prepared for all supported Drupal Core branches, including versions 11.3.x, 11.2.x, 10.6.x and 10.5.x. Site owners were advised to upgrade in advance to the latest available fixes inside their branches to avoid additional problems when you have to install an urgent patch.
Due to the gravity of the vulnerability, the Drupal team will also release updates for outdated branches of 11.1.x and 10.4.x, although usually support for such versions is already stopped. Site owners on Drupal 11.0 and 11.1 were advised to upgrade to at least version 11.1.9. For diving Drupal 10.0-10.4, a transition is recommended at least to Drupal 10.4.4.
For fully unsupported Drupal 8 and Drupal 9, there will be no ready-made updates. Instead, developers will publish separate correction files for Drupal 8.9 and 9.5. Such patches will have to be installed manually, and the project team warned that the fixes can work unstable and cause new errors.
The developers also recalled that the Drupal 8 and 9 contain many other known vulnerabilities that are no longer corrected. Owners of such sites were recommended to go at least to Drupal 10.6 as soon as possible. Drupal 7, according to the project team, is not affected.
Details of the problem have not yet been disclosed. The vulnerability will be described in detail, and instructions for protecting sites will be published on May 20 on the official Drupal security portal.
