A 3rd party development library including with Drupal 8 development
dependencies is vulnerable to remote code execution. This is mitigated by
the default .htaccess protection against PHP execution, and the fact that
Composer development dependencies aren't normal installed. You might be
vulnerable to this if you are running a version of Drupal before 8.2.2. To
be sure you aren't vulnerable, you can remove the <siteroot>/vendor/phpunit
directory from your production deployments
ratliffUbuntu doesn't package drupal8 and it is unclear whether this
vulnerability impacts drupal7, it needs a bit more investigation
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needs-triage)
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was needs-triage)
Ubuntu 16.04 LTS (Xenial Xerus):needs-triage
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 20.04 LTS (Focal Fossa):DNE
Ubuntu 20.10 (Groovy Gorilla):DNE
More Information

Updated: 2020-09-09 21:35:16 UTC (commit b67d7d8b03f173f825cd706df5bd078bca500b0e)