Security Issue
On Monday, 23 April 2018 at 16:27 UTC, the Drupal security team issued psa-2018-003 advising of a highly critical security release for Drupal 7 as well as the 8.4.x and 8.5.x branches of Drupal 8. On Wednesday, 25 April 2018, Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-004 was released.
Remote Administration (RA) Services
For customers with subscriptions that include Remote Administration (RA) services, Acquia began providing security updates immediately following the release on Wednesday, 25 April 2018. However, due to the large volume of applications we update, customers should expect to receive an update within 48 hours of the update being released. We highly recommend you plan to move this update to your production environment as soon as you can.
As soon as you receive an update ticket from us, we strongly recommend you test and respond quickly to allow us to update your production application. Acquia will not move forward with updates until they are tested and explicitly approved in the Remote Administration ticket.
Should you receive an update ticket and are already in the process of updating your application, no further action is required. Simply set the ticket to solved.
Reported Issues
We have received reports from customers that the latest Drupal security patch sometimes causes errors with the Domain modules functionality in their applications.
Customers with applications impacted by these errors can implement a workaround by adding an extra require line before the domain include (e.g. near the end of settings.php).
require_once DRUPAL_ROOT . '/includes/request-sanitizer.inc'; include DRUPAL_ROOT . '/sites/all/modules/contrib/domain/settings.inc';
Updates
This article will be updated as new information becomes available. We recommend following the Acquia Support Twitter account for notification of updates to this article.
Last updated: {30 April 2018 / 12:23PM PDT}
Release Date
2018-04-25