Drupal site developers are going to have a late one tonight due to this issue:
We have just patched over two dozen sites for clients, in case it helps, following is what we did in the site root for each site.
To find the Drupal version, in the site root:
drush core-status | grep "Drupal version"
To patch the sites (you should probably to a test run with a
patch --dry-run argument first):
wget "https://www.drupal.org/files/issues/2018-03-28/SA-CORE-2018-002.patch" -O d6.patch patch -p1 < d6.patch
wget "https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=2266d2a83db50e2f97682d9a0fb8a18e2722cba5" -O d7.patch patch -p1 < d7.patch
wget "https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f" -O d8.patch patch -p1 < d8.patch
We only had one site where we needed to manually edit files, for older Drupal versions patch fuzzing did the trick even though the target didn’t match.
Finally, don’t forget to restart
php-fpm to ensure that any compiled and cached version of the vulnerable code isn’t still being served to clients