Download Drupal 8.2.8 / 8.3.1

Due to a security issue, updates have been released for versions 8.2 and 8.3 of Drupal, version 7 is not susceptible. Drupal is a PHP-written, user-friendly and powerful content management platform, with which, for example, websites can be created. New in version 8.2 is, among other things, that blocks for text or media can be placed on pages without having to go to another administration page first. Furthermore, support for time periods has been added, where previously only a specific time could be used. The release notes for this release are as follows:

Drupal Core – Critical – Access Bypass – SA-CORE-2017-002

• Advisory ID: DRUPAL-SA-CORE-2017-002
• Project: Drupal core
• Version: 8.x
• Date: 2017-April-19
• CVEID: CVE-2017-6919
• security risk: 17/25 (Critical) AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default
• Vulnerability: Access bypass

Description

This is a critical access bypass vulnerability. A site is only affected by this if all of the following conditions are met:

• The site has the RESTful Web Services (rest) module enabled.
• The site allows PATCH requests.
• An attacker can get or register a user account on the site.

While we don’t normally provide security releases for unsupported minor releasesgiven the potential severity of this issue, we have also provided an 8.2.x release to ensure that sites that have not had a chance to update to 8.3.0 can update safely.

Versions affected

• Drupal 8 prior to 8.2.8 and 8.3.1.
• Drupal 7.x is not affected.

Solution

• If the site is running Drupal 8.2.7 or earlier, upgrade to 8.2.8.
• If the site is running Drupal 8.3.0, upgrade to 8.3.1.