Drupal Release: 8.2.8

TL;DR

Drupal 8.2.8 Security Release

This is a critical security release addressing a remote code execution vulnerability (SA-CORE-2017-002). All Drupal 8 site owners should update immediately to version 8.2.8 to protect their sites from potential attacks. This release contains no new features or bug fixes beyond the security patch.

Highlight of the Release

• Critical security fix for remote code execution vulnerability (SA-CORE-2017-002)
• Coordinated security release by multiple core contributors
• Immediate update strongly recommended for all Drupal 8 sites

Migration Guide

No migration steps are required for this security update. Site administrators should:

1. Back up their site database and files before updating
2. Update to Drupal 8.2.8 using their standard update process
3. Clear all caches after the update
4. Run database updates if prompted
5. Test site functionality to ensure everything works as expected

If you are unable to update immediately, consider temporarily taking your site offline until you can apply the security patch.

Upgrade Recommendations

Immediate Update Strongly Recommended

This is a critical security release that addresses a remote code execution vulnerability. All Drupal 8 site owners should update to version 8.2.8 immediately.

Update priority: Critical (update ASAP)

For sites on Drupal 8.2.x: Update directly to Drupal 8.2.8 For sites on earlier 8.x versions: Update to the latest secure version for your branch, then plan to update to a supported version For sites on Drupal 7: This specific vulnerability does not affect Drupal 7, but staying on the latest secure version is always recommended

If you cannot update immediately, consider temporarily taking your site offline until you can apply the security patch.

Bug Fixes

This release does not include regular bug fixes. It is a security-focused release that addresses only the critical vulnerability identified in SA-CORE-2017-002.

New Features

This security release does not contain any new features. It is focused exclusively on addressing the critical security vulnerability identified as SA-CORE-2017-002.

Security Updates

Critical: Remote Code Execution - SA-CORE-2017-002

This security release fixes a critical remote code execution vulnerability in Drupal 8. The security team has assigned this vulnerability a risk score of Critical using the OWASP risk rating system.

The vulnerability affects multiple subsystems within Drupal 8 and could allow unauthorized users to execute arbitrary code on the server. This could lead to:

• Complete site compromise
• Data theft
• Server takeover
• Installation of malware

The fix was developed through collaboration between multiple core contributors including alexpott, xjm, larowlan, Wim Leers, samuel.mortenson, Berdir, dawehner, tstoeckler, and catch.

Note: Details about the exact nature of the vulnerability are intentionally limited to prevent exploitation on unpatched sites.

Performance Improvements

No specific performance improvements are included in this security release. The focus is entirely on addressing the critical security vulnerability.

Impact Summary

This release addresses a critical security vulnerability (SA-CORE-2017-002) that could allow remote code execution on Drupal 8 sites. The security issue has been assigned the highest severity rating due to its potential impact.

Unpatched sites are at significant risk of complete compromise if exploited. Attackers could potentially:

• Execute arbitrary PHP code on the server
• Access, modify, or delete site content and data
• Gain administrative access to the site
• Use the compromised site to attack other systems

The security fix was developed through collaboration between multiple core contributors and has been thoroughly tested to ensure it addresses the vulnerability without introducing new issues.

This release contains only the security fix with no additional features or bug fixes, making it a straightforward but essential update for all Drupal 8 site owners.