Advisory ID: 
PSA-2018-002
Vulnerability: 
To Be Announced
Versions affected: 
  • Backdrop Core 1.x versions prior to 1.9.5

There will be a security release of Backdrop 1.9.x, and 1.8.x on April 25th, 2018 between 16:00 - 18:00 UTC. For all security updates, the Security Team urges you to reserve time for core updates at that time because exploits might be developed within days or even hours. Security release announcements will appear here, on the Backdrop security page.

This security release is a follow-up to the one released as BACKDROP-SA-CORE-2018-002 on March 28.

While Backdrop 1.8.x is no longer supported and we don't normally provide security releases for unsupported minor releases, given the potential severity of this issue, we are providing a release for 1.8.x that includes the fix for sites which have not yet had a chance to update to 1.9.x. The Backdrop Security Team strongly recommends the following:

  • Sites on 1.9.x can immediately update when the advisory is released using the normal procedure.
  • Sites on 1.8.x should immediately update to the 1.8.x release that will be provided in the advisory, and then plan to update to the latest 1.9.x security release in the next month (since 1.8.x no longer receives official security coverage).

The security advisory will list the appropriate version numbers for both Backdrop branches. Your site's update report page will recommend the 1.9.x release even if you are on 1.8.x, but temporarily updating to the provided backport for your site's current version will ensure you can update quickly without the possible side effects of a minor version update.

Patches for 1.9.x, and 1.8.x will be provided in addition to the full releases mentioned above. (If your site is on a Backdrop release older than 1.8.0, it no longer receives security coverage and will not receive a security update. Upgrading is strongly recommended as older Backdrop versions may contain other disclosed security vulnerabilities.)

This release will not require a database update.

The Security Team or any other party is not able to release any more information about this vulnerability until the announcement is made. The announcement will be made public at https://www.backdropcms.org/security, over Twitter, and in email for those who have subscribed to the security email list.

To subscribe to the security email list:

  • Log in to backdropcms.org
  • Edit your profile
  • Scroll down to the "Email notifications" section
  • Check the box labeled "Receive BackdropCMS.org security announcements for core and contrib projects"