PHP Security Release – Drupal 7 sites may require action

Sep 2, 21:41 PDT
Resolved – PHP.net has released version 7.0.23. This release is classified as a security release [1]. Pantheon has deployed this PHP version platform-wide. The release addresses a vulnerability that could allow for arbitrary code execution, MS-ISAC 2017-076 [2].

Drupal 7 sites on PHP 7.0 that haven’t updated core in a few months will encounter a new PHP notice dumped to the screen on non-live environments, which can be fixed by updating to Drupal 7.55 or later, or by applying this patch [3] from drupal.org issue 2877243 [4]. The notice is suppressed in Live environments.

[1] – http://php.net/ChangeLog-7.php#7.0.23

[2] – https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-php-could-allow-for-arbitrary-code-execution-14/

[3] – https://www.drupal.org/files/issues/DATE_RFC7231-2877243-1.patch

[4] – https://www.drupal.org/node/2877243


Source: http://status.pantheon.io/history.rss