As per the announcement on Drupal.org, there will be a security update for Drupal 7.x, 8.3.x, 8.4.x, and 8.5.x on March 28th 2018 between 18:00 - 19:30 UTC (11:00 AM PDT to 12:30 PM PDT), that will fix a highly critical security vulnerability. The Drupal Security Team urges you to reserve time for core updates at that time because exploits might probably will be developed within hours or days.
This update is so critical, Webdrips will provide up to one free hour* to address the issue. If you would like our help, please reach out.
While Drupal 8.3.x and 8.4.x are no longer supported, given the potential severity of this issue, updates for 8.3.x and 8.4.x releases will be included. The Drupal security team strongly recommends the following:
- Sites on 8.3.x should immediately update to the 8.3.x release that will be provided in the advisory, and then plan to update to the latest 8.5.x security release in the next month.
- Sites on 8.4.x should immediately update to the 8.4.x release that will be provided in the advisory, and then plan to update to the latest 8.5.x security release in the next month.
- Sites on 7.x or 8.5.x can immediately update when the advisory is released using the normal procedure.
The security advisory will list the appropriate version numbers for all three Drupal 8 branches. Your site's update report page will recommend the 8.5.x release even if you are on 8.3.x or 8.4.x, but temporarily updating to the provided backport for your site's current version will ensure you can update quickly without the possible side effects of a minor version update.
This update will not require a database update. This means you can safely apply it right away and test the update. Worst case, if you use a version control system (which is highly recommended for all Drupal sites), you can always roll back the code or find a way around the issue. That being said, Webdrips doubts (based on past critical updates) that this particular update will affect your site in any negative way.
That being said, the safest thing to do instead of the full update to the latest version will be to only apply a patch. Webdrips will make every effort to provide a patch once the security update has been released by Drupal.org. This way, you only patch the vulnerable code, and nothing else.
* For new customers only