Drupal Release: 8.5.2

TL;DR

Drupal 8.5.2 Security Release

This is a critical security release addressing vulnerabilities identified as SA-CORE-2018-003. All Drupal 8.5.x sites should update immediately to version 8.5.2 to protect against potential remote code execution attacks. This release does not add new features but focuses exclusively on security fixes.

Highlight of the Release

• Critical security update addressing SA-CORE-2018-003
• Patches potential remote code execution vulnerabilities
• Recommended immediate update for all Drupal 8.5.x sites

Migration Guide

No migration steps are required for this security update. Simply update your Drupal core to version 8.5.2 following the standard update procedure:

1. Back up your database and site files
2. Put your site into maintenance mode
3. Update Drupal core using your preferred method (Composer, Drush, or manual update)
4. Run the database update script
5. Take your site out of maintenance mode

After updating, it's recommended to:

• Clear all caches
• Review your logs for suspicious activity
• Consider changing all administrative passwords if you suspect your site may have been compromised

Upgrade Recommendations

Immediate Update Strongly Recommended

This is a critical security release and all Drupal 8.5.x sites should be updated immediately to version 8.5.2.

If you cannot update immediately, consider taking your site offline until you can apply the update to prevent potential exploitation.

Sites still running Drupal 8.4.x or earlier should update to the latest secure version for their branch, then plan to update to a supported version as soon as possible.

The security team recommends following standard security practices after updating:

• Clear all caches
• Review logs for suspicious activity
• Consider changing administrative passwords

Bug Fixes

Security Vulnerabilities Fixed

This release addresses critical security vulnerabilities that could potentially allow remote code execution. The specific details of the vulnerabilities are not fully disclosed to prevent exploitation on unpatched sites, but they relate to how Drupal handles certain input data.

The security team and contributors have worked diligently to provide this fix as quickly as possible after discovering the vulnerabilities.

New Features

This security release does not include new features as it focuses exclusively on addressing critical security vulnerabilities identified in SA-CORE-2018-003.

Security Updates

SA-CORE-2018-003 Security Advisory

This release addresses critical vulnerabilities that could allow attackers to exploit multiple attack vectors on a Drupal site. The security team has classified this as highly critical.

The vulnerabilities affect the core of Drupal and could potentially lead to remote code execution on vulnerable sites. All site owners should update immediately, regardless of which modules are enabled.

If you are unable to update immediately, you should consider taking your site offline until you can apply the update.

Performance Improvements

No specific performance improvements are included in this release as it focuses exclusively on security fixes.

Impact Summary

This security release addresses critical vulnerabilities that could allow attackers to execute arbitrary code on vulnerable Drupal sites. The impact is severe as successful exploitation could lead to complete site compromise, data theft, defacement, or the site being used to distribute malware or participate in attacks on other sites.

The security team has classified this as highly critical, indicating the urgent nature of this update. All Drupal 8.5.x sites should update immediately to version 8.5.2 to protect against these vulnerabilities.

Sites that delay updating are at significant risk of compromise, as security vulnerabilities are often exploited shortly after disclosure. The Drupal security team and community contributors have worked quickly to provide this fix, but site owners must take action to protect their installations.