Now the implications of this PSA may be subtle to some, but it’s subtlety shows how severe the issue is that they are patching.
You see, generally projects don’t release beforehand that they are working on a patch for an un-released vulnerability, but instead announce that there is a vulnerability that was fixed when the release a patch. So, what the Drupal Security Team is doing here, is letting you know that this is so important, they want everyone to be ready to apply this patch just as soon as it releases. They are doing this as they expect that practical exploits could “developed within hours” of release of the patch.
On top of this, Drupal is choosing to patch more than just the two current “stable” core releases (7.x and 8.5.x) but instead ALSO patching the “unsupported minor releases” 8.3.x, and 8.4.x. Again, the fact that they are choosing to patch more than the main branch of code shows exactly how horribly this exploit could be for users of the Drupal CMS.
The Drupal Security Team has promised that the announcement for the patch will be made public via:
- The Drupal Security Page
- Twitter (@drupal)
- via eMail (for those who have subscribed to the email list)
Update: Exploit Affects Drupal 6 Also!
As can be seen by viewing recent commits to the Drupal 6 LTS code repository, the current exploit also affects the fully un-supported Drupal 6 branch.
While the Drupal 6 LTS team is working on patches for the latest Drupal 6 Release, these patches will need to be implemented by someone considerably savvy with code repositories, and patching code. As such they recommend you use a provider that has experience patching software or are part of the official Drupal 6 LTS Vendor list. It is worth noting, that Drupal 6 is no longer officially supported as of Feb 24th, 2016.