Drupal versions 6, 7 and 8 do not properly sanitize requests allowing remote attackers without credentials to execute arbitrary code. This issue was patched in the following versions: Drupal 7.58 Drupal 8.3.9 Drupal 8.4.6 Drupal 8.5.1 External References: https://www.drupal.org/sa-core-2018-002 https://groups.drupal.org/security/faq-2018-002 Upstream Patches: https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=2266d2a83db50e2f97682d9a0fb8a18e2722cba5 https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f
Created drupal8 tracking bugs for this issue: Affects: fedora-all [bug 1561855] Created drupal7 tracking bugs for this issue: Affects: fedora-all [bug 1561857] Affects: epel-all [bug 1561858] Created drupal6 tracking bugs for this issue: Affects: epel-6 [bug 1561856]
drupal6-6.38-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
All dependent bugs have been closed. Can this tracking bug be closed?
In reply to comment #5: > All dependent bugs have been closed. Can this tracking bug be closed? Yep, closed.