Drupal.org - injection vulnerability (“httpoxy”) PSA-2016-003
On Monday, 18 July 2016, the Drupal.org security team announced SA-CORE-2016-003 for an injection vulnerability (“httpoxy”) for Drupal 7 and Drupal 8 sites using Guzzle, a PHP HTTP request library. A core update for Drupal 8 was released due to a dependency on Guzzle packaged with Drupal 8.
Drupal 7 sites using a contributed module that depends on Guzzle will need an updated or patched version of Guzzle. Sites with non-Drupal code, or CGI scripts may also be vulnerable. There is no Drupal 7 core or module release for this vulnerability. See httpoxy.org for addtional background information and mitigation steps.
For Drupal 8 Sites Receiving Remote Administration (Acquia RA) Updates
Drupal 8 customers with Remote Administration (RA) services have already received an update branch, except those who experience update errors. Acquia will work with customers to resolve implementation errors and apply the updates successfully.
Customers are encouraged to update their own modules if they wish to reduce the window of vulnerability.
For Drupal 8 Sites without Remote Administration (Acquia RA) Updates
Customers using Drupal 8 should update and deploy the update immediately.
For Drupal 7 Sites
Customers should inspect their site for any modules or other dependencies on Guzzle and update Guzzle immediately.
Acquia Cloud Edge
Acquia Cloud Edge Protect customers are automatically protected from the httpoxy vulnerability and may upgrade their Drupal 7 and Drupal 8 dependencies when convenient.