Corresponding security release for Drupal SA-CORE-2020-007 and SA-CORE-2020-010 postponed

Date:

Wednesday, Sep 16th, 2020

Advisory ID:

PSA-2020-005

Security risk:

Moderately Critical

Vulnerability:

Cross Site Scripting

Versions affected:

Backdrop Core 1.16.x versions prior to 1.16.4
Backdrop Core 1.17.x versions prior to 1.17.1

Backdrop versions 1.15 and prior do not receive security coverage.

Description:

There will be a security release of Backdrop 1.17.x, and 1.16.x on Sept 30th, 2020 between 19:00 - 23:00 UTC. Security release announcements will appear here, on the Backdrop security page. This release will not require a database update.

This security release will be a complimentary release to the Drupal security releases SA-CORE-2020-007 and SA-CORE-2020-010 issued on September 16th.

Because Backdrop issued its regularly scheduled minor release on September 15th, and based on the severity of these issues, the Backdrop Security Team has agreed to postpone this security release for two weeks.

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

Log in to backdropcms.org
Edit your profile
Switch to the "Subscriptions" tab
Check the box labeled "Security updates"
Save the form

Report security issues responsibly

If you have found a security issue, send an email to security@backdropcms.org. Do not file an issue on GitHub, or otherwise announce the issue publicly.

See more about Backdrop security.

Security Advisories

The list below includes the latest advisories for both Backdrop core and any project in the contributed repository. See the entire list of all advisories.