Do you manage a Drupal site? You are likely to have heard about today's moderately critical security update: https://www.drupal.org/SA-CORE-2018-005
There's no time to spare - what now?
This update is has one key difference from the other recent security updates. Those security issues resided within Drupal core's code, whereas this update is in an external vendor package which Drupal core relies on. I'll spare you some of the details - the tl;dr is that makes it harder for us to provide a single patch you can reliably apply. Knowing the version of Drupal core you're running does not necessarily give us enough information to generate a patch.
Here is how to apply the security updates to your website if you are already on Drupal 8.5:
- SSH into your website
- Git add and commit all files
- Create a database backup with drush:
- drush sql-dump > ../../2018-08-01-pre-sa-core-2018-005.sql
- Using Composer, and on Drupal 8.5.x?
- composer update drupal/core --with-dependencies
- Unsuccessful? Try: composer update webflo/drupal-core-strict drupal/core --with-all-dependencies
- Still no luck? OK - this should work:
- composer require symfony/http-foundation:~3.4.14
- composer require symfony/http-kernel:~3.4.14
- Not using composer, but are on Drupal 8.5.x?
- I strongly recommend using composer in the near future. Until then, manually update the two packages:
- Download symfony/http-foundation here: https://github.com/symfony/http-foundation/archive/v3.4.14.zip
- Download symfony/http-kernel here: https://github.com/symfony/http-kernel/archive/v3.4.14.zip
- Now that we have the new versions of the two packages, we need to replace the unsecure versions of those packages in our project:
- Open your project
- Within your project, find for these folders:
- http-foundation
- This can usually be found in: YOUR-PROJECT/vendor/symphony/http-foundation
- http-kernel
- This can usually be found in: YOUR-PROJECT/vendor/symphony/http-kernel
- http-foundation
- Those are the two unsecure folders. Note their location, and delete those folders
- This step will break your website until the remaining steps are completed. Because of which, you should always perform development work on a dev environment, not on the live website.
- Remember the zip files we downloaded earlier? Find those on your machine now.
- Unzip the two zip files. You should now have these two folders on your computer:
- http-foundation-3.4.14/
- Rename this folder to http-foundation
- Then move the renamed into your project, replacing the old http-foundation folder
- This is normally YOUR-PROJECT/vendor/symphony/http-foundation
- http-kernel-3.4.14/
- Rename this folder to http-kernel
- Then move the renamed folder into your project, replacing the old http-kernel folder
- This is normally YOUR-PROJECT/vendor/symphony/http-kernel
- http-foundation-3.4.14/
- Save (git add and commit) the updated folders on your website
- Clear your websites cache
- Test your website thoroughly
- If everything looks good, you should be able to deploy these changes to the live website before clearing its cache
- I strongly recommend using composer in the near future. Until then, manually update the two packages:
These steps come with no warranty, implied or otherwise.
Those steps will allow you to patch your site, not fully update it. Once the patches are in, you can rest assured that your site should now be secure. Take 24 hours off, then schedule fully updating your website to the latest version very soon. Future patches are not guaranteed to be applicable to earlier versions.