Advisory ID: 
PSA-2018-001
Vulnerability: 
To Be Announced
Versions affected: 
  • Backdrop Core, all versions prior to 1.9.3.
Description: 

There will be a security release of Backdrop CMS 1.9.x, 1.8.x, and 1.7.x on March 28th 2018 between 18:00 - 19:30 UTC, that will fix a highly critical security vulnerability. For all security updates, the Security Team urges you to reserve time for core updates at that time because exploits might be developed within days or even hours. Security release announcements will appear here, on the Backdrop security page.

While Backdrop 1.8.x and 1.7.x are no longer supported and we don't normally provide security releases for unsupported minor releases, given the potential severity of this issue, we are providing 1.8.x and 1.7.x releases that include the fix for sites which have not yet had a chance to update to 1.9.x. The Backdrop security team strongly recommends the following:

  • Sites on 1.9.x can immediately update when the advisory is released using the normal procedure.
  • Sites on 1.8.x should immediately update to the 1.8.x release that will be provided in the advisory, and then plan to update to the latest 1.9.x security release in the next month (since 1.8.x no longer receives official security coverage).
  • Sites on 1.7.x should immediately update to the 1.7.x release that will be provided in the advisory, and then plan to update to the latest 1.9.x security release in the next month (since 1.7.x no longer receives official security coverage).

The security advisory will list the appropriate version numbers for all three Backdrop branches. Your site's update report page will recommend the 1.9.x release even if you are on 1.8.x or 1.7.x, but temporarily updating to the provided backport for your site's current version will ensure you can update quickly without the possible side effects of a minor version update.

This update will not require a database update.

The Security Team or any other party is not able to release any more information about this vulnerability until the announcement is made. The announcement will be made public at https://www.backdropcms.org/security, over Twitter, and in email for those who have subscribed to the security email list.

To subscribe to the security email list:

  • Log in to backdropcms.org
  • Edit your profile
  • Scroll down to the "Email notifications" section
  • Check the box labeled "Receive BackdropCMS.org security announcements for core and contrib projects"

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  1. Log in to backdropcms.org
  2. Edit your profile
  3. Switch to the "Subscriptions" tab
  4. Check the box labeled "Security updates"
  5. Save the form