Request for version bump to www-apps/drupal-8.1.10 due to multiple security vulnerabilities: 1. Users without "Administer comments" can set comment visibility on nodes they can edit. (Less critical): Users who have rights to edit a node, can set the visibility on comments for that node. This should be restricted to those who have the administer comments permission. 2. Cross-site Scripting in http exceptions (critical): An attacker could create a specially crafted url, which could execute arbitrary code in the victim’s browser if loaded. Drupal was not properly sanitizing an exception 3. Full config export can be downloaded without administrative permissions (critical): The system.temporary route would allow the download of a full config export. The full config export should be limited to those with Export configuration permission. Reproducible: Always
This can be moved to bug 600124 as newer versions were added to the tree.