Drupal Security Update (Injection PSA-2016-002)

Drupal.org - injection vulnerability (“httpoxy”) PSA-2016-003

On Monday, 18 July 2016, the Drupal.org security team announced SA-CORE-2016-003 for an injection vulnerability (“httpoxy”) for Drupal 7 and Drupal 8 sites using Guzzle, a PHP HTTP request library. A core update for Drupal 8 was released due to a dependency on Guzzle packaged with Drupal 8.

Drupal 7 sites using a contributed module that depends on Guzzle will need an updated or patched version of Guzzle. Sites with non-Drupal code, or CGI scripts may also be vulnerable. There is no Drupal 7 core or module release for this vulnerability. See httpoxy.org for addtional background information and mitigation steps.

For Drupal 8 Sites Receiving Remote Administration (Acquia RA) Updates

Drupal 8 customers with Remote Administration (RA) services have already received an update branch, except those who experience update errors. Acquia will work with customers to resolve implementation errors and apply the updates successfully.

Customers are encouraged to update their own modules if they wish to reduce the window of vulnerability.

For Drupal 8 Sites without Remote Administration (Acquia RA) Updates

Customers using Drupal 8 should update and deploy the update immediately.

For Drupal 7 Sites

Customers should inspect their site for any modules or other dependencies on Guzzle and update Guzzle immediately.

Acquia Cloud Edge

Acquia Cloud Edge Protect customers are automatically protected from the httpoxy vulnerability and may upgrade their Drupal 7 and Drupal 8 dependencies when convenient.

If you have any questions, you can contact Acquia Support by creating a ticket at https://insight.acquia.com/support or visiting the Acquia Help Center.

Acquia Products

Contact supportStill need assistance? Contact Acquia Support