Do you manage a Drupal site? You are likely to have heard about today's highly critical security update: https://www.drupal.org/sa-core-2018-002
There's no time to spare - what now?
Note: in the below examples, the patches are tested when 'x' in the version number is the highest available number. It is likely to work at slightly lower versions as well, but no guarantees either way. That's why we back up our sites before any update.
Here's the quick & dirty way to patch your site:
- If your site is 8.5.x
- SSH into your website
- Git add and commit all files
- Create a database backup with drush:
- drush sql-dump > ../../2018-03-28-pre-sa-core-2018-002.sql
- Download this patch file: https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f
- Name it sa-core-2018-002-85.patch
- Place it in your website's root folder
- Run this command:
- patch -p1 < sa-core-2018-002-85.patch
- If your site is 8.4.x
- SSH into your website
- Git add and commit all files
- Create a database backup with drush:
- drush sql-dump > ../../2018-03-28-pre-sa-core-2018-002.sql
- Download this patch file: https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f
- Name it sa-core-2018-002-84.patch
- Place it in your website's root folder
- Run this command:
- patch -p1 < sa-core-2018-002-84.patch
- If your site is 8.3.x
- SSH into your website
- Git add and commit all files
- Create a database backup with drush:
- drush sql-dump > ../../2018-03-28-pre-sa-core-2018-002.sql
- Download this patch file: https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f
- Name it sa-core-2018-002-83.patch
- Place it in your website's root folder
- Run this command:
- patch -p1 < sa-core-2018-002-83.patch
- If your site is 7.x
- SSH into your website
- Git add and commit all files
- Create a database backup with drush:
- drush sql-dump > ../../2018-03-28-pre-sa-core-2018-002.sql
- Download this patch file: https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=2266d2a83db50e2f97682d9a0fb8a18e2722cba5
- Name it sa-core-2018-002-7.patch
- Place it in your website's root folder
- Run this command:
- patch -p1 < sa-core-2018-002-7.patch
- If your site is 6.x
- The "semi-official" patch is here: https://www.drupal.org/files/issues/2018-03-28/SA-CORE-2018-002.patch
- This patch was not released by the Drupal security team, but it was posted to Drupal.org's D6LTS ("Long Term Support") issue queue: https://www.drupal.org/project/d6lts/issues/2955130
This comes with no warranty, implied or otherwise.
Those steps will allow you to patch your site, not fully update it. Once the patches are in, you can rest assured that your site should now be secure. Take 24 hours off, then schedule fully updating your website to the latest version in the near future.