[IDA] Core and Module updates on 2/20, Fwd: [Security-news] Critical Release - PSA-2019-02-19

  • Posted on: 19 February 2019
  • By: Michael

Hi All,

If you’re on D8, core and probably a few modules will be updated tomorrow.  If
you’re on D7, most likely several modules will be updated.  Full Security
Announcement is below (but it really doesn’t say much, not that it should for
those self-same security implications).

As a FYI:  Wednesdays are generally the day of the week Drupal updates are
released.  The 3rd Wednesday of a month is usually when the majority of
Drupal security updates occur.

Depending upon the complexity of the security update(s) being released, if
you’re close to your update time, and/or your site’s needed updates are not
difficult, I’ll most likely do full site updates as well.  (No one really
likes doing QA, so no point if making you do it twice.)

I’ll send out more information after applying all patches and updates

Best Regards,


Internet Design Alliance, owner
Hours (US CST):  Mon - Thur, 8am – 6pm | Fri, 8am - Noon
Emergency calls:  24x7

----------  Forwarded Message  ----------

Subject: [Security-news] Critical Release - PSA-2019-02-19
Date: Tuesday 19 February 2019, 09:25:39 am
From: security-news@drupal.org
To: security-news@drupal.org

View online: https://www.drupal.org/psa-2019-02-19

Date: 2019-February-19
Security risk: *Highly critical* 20∕25
AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon [1]
Vulnerability: Critical Release

There will be a *security release of  8.5.x and 8.6.x on February 20th 2019
between 1PM to 5PM America/New York* (1800 to 2200 UTC). (To see this in your
local timezone, refer to the Drupal Core Calendar [2]) . The risk on this is
currently rated at 20/25 (Highly critical)

Not all configurations are affected. Reserve time on February 20 during the
release window to determine whether your sites are affected and in need of an
immediate update. Mitigation information will be included in the advisory.

Contributed module security updates may also be required.

*If you are running Drupal 7*, no core update is required, but you may need
to update contributed modules if you are using an affected module.  We are
unable to provide the list of those modules at this time.

Neither the Security Team nor any other party is able to release any more
information about this vulnerability until the announcement is made. The
announcement will be made public at https://www.drupal.org/security [3], over
Twitter, and in email for those who have subscribed to our email list. To
subscribe to the email list: log in on Drupal.org, go to your user profile
page and subscribe to the security newsletter on the Edit » My newsletters

Security release announcements will appear on the Drupal.org security
advisory page.

[1] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/security

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
You know what to do... An image you see? there is one finger less than two hands of items to find. (We sincerely apologize for using image CAPTCHA, hint go low, and bots suck...)
Enter the characters shown in the image.