On 30 July 2018, the Drupal security team issued DRUPAL-PSA-2018-07-30 advising of a moderately critical security release for an update to a vendor library only for Drupal 8.
It is advised that customers set aside time to plan for a core upgrade immediately following the release on 1 August 2018 between 16:00:00 - 19:00:00 UTC (12:00pm - 3:00pm EDT/ 9:00am - 12:00pm PDT).
Remote Administration
For customers with Remote Administration (RA) services, Acquia will begin providing security updates immediately following the release on August 1. However, due to the large volume of applications we update, customers should expect to receive an update within 48 hours of the update being released. We highly recommend you plan to move this update to your production environment as soon as you can.
Note for Drupal 8.3.x and 8.4.x users: RA automation will update your application to the currently supported 8.5.x release. This release will not be backported to 8.3.x and 8.4.x as these branches are no longer supported. You should consider moving off of these branches to the 8.5.x branch as soon as possible.
For customers still on the 8.3.x and 8.4.x branches, if you wish to remain on these branches, we recommend you update the vendor library on your end independently of Drupal core. This is outside of the scope of Remote Administration.
As soon as you receive an update ticket from us we strongly recommend you test and respond as soon as possible to update your production application. Acquia will not move forward with updates until they are tested and explicitly approved in the RA ticket.
Platform Mitigation
Acquia has developed and implemented a mitigation to the Acquia platform based on the Drupal core release (SA-CORE-2018-005) issued Wednesday, 1 August 2018. This mitigation covers all customers with Acquia Cloud Free, Acquia Professional, Acquia Cloud Enterprise, and Acquia Cloud Site Factory applications. We highly recommend Acquia customers apply this Drupal core security update regardless of Acquia’s platform mitigation.
Additional Questions
Should you receive an update ticket and are already in the process of updating your application, no further action is required. Simply set the ticket to solved.
This article will be updated as new information becomes available.
Last updated: {2-August-2018 / 17:01:00 UTC}
Release Date
2018-07-31