Comment 1 GLSAMaker/CVETool Bot 2017-03-17 10:30:21 UTC

CVE-2017-6381 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6381):
  A 3rd party development library including with Drupal 8 development
  dependencies is vulnerable to remote code execution. This is mitigated by
  the default .htaccess protection against PHP execution, and the fact that
  Composer development dependencies aren't normal installed. You might be
  vulnerable to this if you are running a version of Drupal before 8.2.2. To
  be sure you aren't vulnerable, you can remove the <siteroot>/vendor/phpunit
  directory from your production deployments

CVE-2017-6379 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6379):
  Some administrative paths in Drupal 8.2.x before 8.2.7 did not include
  protection for CSRF. This would allow an attacker to disable some blocks on
  a site. This issue is mitigated by the fact that users would have to know
  the block ID.

CVE-2017-6377 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6377):
  When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the
  editor will not correctly check access for the file being attached,
  resulting in an access bypass.

Comment 2 Thomas Deutschmann (RETIRED) 2017-03-17 10:33:39 UTC

Already in repository. Repository is clean. All done.