Drupal Release: 8.4.8

TL;DR

Drupal 8.4.8 is a critical security release addressing a highly critical remote code execution vulnerability (SA-CORE-2018-004). All Drupal 8 sites should update immediately to prevent potential exploitation. This is a security-only release with no new features or bug fixes.

Highlight of the Release

• Critical security fix for a remote code execution vulnerability (SA-CORE-2018-004)
• Security-only release with no new features or non-security bug fixes
• Coordinated release by multiple security team members and contributors

Migration Guide

No migration steps are required for this security update. However, site administrators should:

1. Update to Drupal 8.4.8 immediately
2. Check the official security advisory for any additional mitigation steps
3. Review server logs for potential exploitation attempts
4. Consider changing all administrative passwords if the site was not updated promptly

If you are unable to update immediately, consult the security advisory for possible temporary mitigation strategies.

Upgrade Recommendations

Immediate Update Required

This is a highly critical security release addressing a remote code execution vulnerability. All Drupal 8.4.x sites should be updated immediately.

Update priority: Critical (100/100)

Steps to update:

1. Back up your database and site files
2. Update to Drupal 8.4.8 using your preferred method (Composer, Drush, or manual update)
3. Run the database update script (visit /update.php or use Drush)
4. Clear all caches
5. Check the site functionality

If you cannot update immediately, consult the security advisory for possible temporary mitigation strategies. Sites running Drupal 8.3.x or earlier should update to the latest secure version for their branch or upgrade to 8.4.8.

Bug Fixes

This release does not include any non-security bug fixes. It is focused exclusively on addressing the critical security vulnerability described in SA-CORE-2018-004.

New Features

This release contains no new features as it is a security-only update focused on addressing the critical vulnerability identified in SA-CORE-2018-004.

Security Updates

SA-CORE-2018-004: Remote Code Execution Vulnerability

This security release fixes a highly critical remote code execution vulnerability. The security team has determined that this vulnerability affects all Drupal 8 versions prior to 8.4.8.

The vulnerability allows an attacker to execute arbitrary code on the server through specially crafted requests, potentially leading to complete site compromise, data theft, or server takeover.

Multiple security team members and contributors collaborated on this fix, including David_Rothstein, alexpott, larowlan, Heine, Pere Orga, tim.plunkett, mlhess, xjm, Jasu_M, drumm, cashwilliams, quicksketch, dawehner, pwolanin, and samuel.mortenson.

For more details, please refer to the official security advisory at https://www.drupal.org/sa-core-2018-004.

Performance Improvements

No specific performance improvements are included in this release as it is focused solely on addressing the critical security vulnerability.

Impact Summary

This release addresses a highly critical remote code execution vulnerability that affects all Drupal 8 sites. The security issue allows attackers to potentially take complete control of affected sites through specially crafted requests.

The security team has assigned this vulnerability the highest criticality rating due to:

• The ease of exploitation
• The lack of required authentication or special permissions
• The severity of potential impact (complete site compromise)

Sites that are not updated promptly may be targeted by automated attacks. The Drupal security team, along with multiple contributors, has worked to provide this fix as quickly as possible.

This is a security-only release with no new features or non-security fixes. The focus is entirely on addressing this critical vulnerability to protect Drupal sites worldwide.