Two critical vulnerabilities have been discovered in Drupal Core and if you’re running it, you should immediately update your websites.
These vulnerabilities exists in Drupal core: A remote code execution vulnerability exists in PHP’s built-in phar stream wrapper when performing file operations on an untrusted phar:// URI and Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations.
Solution:
- If you are using Drupal 8.6.x, upgrade to Drupal 8.6.6.
- If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.9.
- If you are using Drupal 7.x, upgrade to Drupal 7.62.
Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.
If you’re running Drupal and haven’t upgraded, you may want to do so. Below we showed you how to manually upgrade Drupal core packages.
To upgrade Drupal, continue with the steps below:
Step 1: Backup and Put Site in maintenance Mode
Before upgrading your site, backup your content and database. and put your site in maintenance mode. You can do that by going to:
Logon to the admin interface and go to Administration > Configuration > Development > Maintenance mode.
Then put the site in maintenance mode and click Save configuration.
You should always use maintenance mode when making major updates, particularly if the updates could disrupt visitors or the update process.
Step 2: Delete Drupal Core Files
Now that your site is in maintainance mode, go and delete Drupal core directories by running the commands below.
Change into to your Drupal root directory. normally in /var/www/html/drupal or to where you installed it.
Then run the commands below to delete the core and vendor folders or directories. and remove all the file in the root directory.
sudo rm -rf core vendor sudo rm -f *.* .[a-z]*
Step 3: Restore Drupal Core Files with Latest
Now that you’ve deleted the core vendor folders as well as file in the root directory, go and download Drupal latest content. copy restore the files and folders you delete.
cd /tmp && wget https://ftp.drupal.org/files/projects/drupal-x.x.x.tar.gz tar -zxvf drupal-x.x.x.tar.gz
Next, copy the extracted files, particularly the core and vendor directory and files in the root of the downloaded folders. the reverse of what you did to delete the content above. This should restore the files and folders with the latest versions.
cd drupal-x.x.x sudo cp -R core vendor /var/www/html/drupal sudo cp *.* .[a-z]* /var/www/html/drupal
You may have to change the directory file permissions again. run the commands below
sudo chown -R www-data:www-data /var/www/html/drupal sudo chmod -R 755 /var/www/html/drupal
Step 4: Update the Core Database Tables
Finally, open your browser and browse to the site URL followed by update.php.
ex.
This will update the core database tables.
You should now be able to logon and go to your Drupal admin, navigate to Administration > Reports > Status report. Verify that everything is working as expected. You should see that the site is updated.
You can now go and take the site from maintenance mode.
Enjoy!
You may also like the post below: