Critical Drupal Core Vulnerabilities Discovered — Here’s How to Upgrade on Ubuntu 16.04 | 18.04

Two critical vulnerabilities have been discovered in Drupal Core and if you’re running it, you should immediately update your websites.

These vulnerabilities exists in Drupal core: A remote code execution vulnerability exists in PHP’s built-in phar stream wrapper when performing file operations on an untrusted phar:// URI and Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations.

Solution:

  • If you are using Drupal 8.6.x, upgrade to Drupal 8.6.6.
  • If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.9.
  • If you are using Drupal 7.x, upgrade to Drupal 7.62.

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

If you’re running Drupal and haven’t upgraded, you may want to do so. Below we showed you how to manually upgrade Drupal core packages.

To upgrade Drupal, continue with the steps below:

Step 1: Backup and Put Site in maintenance Mode

Before upgrading your site, backup your content and database. and put your site in maintenance mode. You can do that by going to:

Logon to the admin interface and go to Administration > Configuration > Development > Maintenance mode.

drupal upgrade

Then put the site in maintenance mode and click Save configuration.

You should always use maintenance mode when making major updates, particularly if the updates could disrupt visitors or the update process.

Step 2: Delete Drupal Core Files

Now that your site is in maintainance mode, go and delete Drupal core directories by running the commands below.

Change into to your Drupal root directory. normally in /var/www/html/drupal or to where you installed it.

Then run the commands below to delete the core and vendor folders or directories. and remove all the file in the root directory.

sudo rm -rf core vendor
sudo rm -f *.* .[a-z]*

Step 3: Restore Drupal Core Files with Latest

Now that you’ve deleted the core vendor folders as well as file in the root directory, go and download Drupal latest content. copy restore the files and folders you delete.

cd /tmp && wget https://ftp.drupal.org/files/projects/drupal-x.x.x.tar.gz
tar -zxvf drupal-x.x.x.tar.gz

Next, copy the extracted files, particularly the core and vendor directory and files in the root of the downloaded folders. the reverse of what you did to delete the content above. This should restore the files and folders with the latest versions.

cd drupal-x.x.x
sudo cp -R core vendor /var/www/html/drupal
sudo cp *.* .[a-z]* /var/www/html/drupal

You may have to change the directory file permissions again. run the commands below

sudo chown -R www-data:www-data /var/www/html/drupal
sudo chmod -R 755 /var/www/html/drupal

Step 4: Update the Core Database Tables

Finally, open your browser and browse to the site URL followed by update.php.

ex.

Drupal ubuntu upgrade

This will update the core database tables.

You should now be able to logon and go to your Drupal admin, navigate to Administration > Reports > Status report. Verify that everything is working as expected. You should see that the site is updated.

You can now go and take the site from maintenance mode.

Enjoy!

You may also like the post below: