Drupal is calling its users to be on standby for the announcement of a highly critical release on 28 March that will address issues in Drupal 7 and 8.
The firm's security team is urging users to reserve time for core updates and is warning that exploits might be developed within hours or days of the announcement, according to a 21 March security advisory.
Specific details of the vulnerability weren't given and it is unclear how an attacker would exploit the flaws but the firm did say that it will be providing 8.3.x and 8.4.x releases that include the fix for sites which have not yet had a chance to update to 8.5.0 and that it will not require a database update.
“The security advisory will list the appropriate version numbers for all three Drupal 8 branches,” the company said in the advisory. “Your site's update report page will recommend the 8.5.x release even if you are on 8.3.x or 8.4.x, but temporarily updating to the provided backport for your site's current version will ensure you can update quickly without the possible side effects of a minor version update.”
The updates will be announced on the firm's security advisory page and will also be made public over Twitter.