Drupal site developers are going to have a late one tonight due to this issue:
https://www.drupal.org/sa-core-2018-002
We have just patched over two dozen sites for clients, in case it helps, following is what we did in the site root for each site.
To find the Drupal version, in the site root:
drush core-status | grep "Drupal version"
To patch the sites (you should probably to a test run with a patch --dry-run
argument first):
Drupal 6.x
wget "https://www.drupal.org/files/issues/2018-03-28/SA-CORE-2018-002.patch" -O d6.patch
patch -p1 < d6.patch
Drupal 7.x
wget "https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=2266d2a83db50e2f97682d9a0fb8a18e2722cba5" -O d7.patch
patch -p1 < d7.patch
Drupal 8.x
wget "https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f" -O d8.patch
patch -p1 < d8.patch
We only had one site where we needed to manually edit files, for older Drupal versions patch fuzzing did the trick even though the target didn’t match.
Finally, don’t forget to restart apache2
or php-fpm
to ensure that any compiled and cached version of the vulnerable code isn’t still being served to clients