PSA-2016-002

Drupal 8: Critical vulnerability in Guzzle library / httpoxy (PSA-2016-002)

Submitted by dryer on Mon, 07/18/2016 - 06:32

On Monday 18th July 2016 Drupal 8 will receive a critical patch to the system. Instead of Drupal itself, this issue is a part of a third party library that Drupal uses Normally the Drupal security team releases patches on Wednesdays, but in this case it has been moved to Monday. There will be no releases on the upcoming Wednesday, July 20th.

The issue at hand is the Guzzle library, which in turn stems from a much larger issue, now known as httpoxy which is a low level issue in how FastCGI and PHP-CGI work together: