Introduction
Another highly critical security advisory has been issued for Drupal.
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.
I ran into two different issues when updating from Drupal version 8.5.1 to 8.5.3 using composer on a Drupal instance.
Issue 1: Cannot Allocate Memory
composer update
...
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 0 installs, 30 updates, 0 removals
- Updating guzzlehttp/guzzle (6.3.2 => 6.3.3): The following exception is caused by a lack of memory or swap, or not having swap configured
Check https://getcomposer.org/doc/articles/troubleshooting.md#proc-open-fork-failed-errors for details
[ErrorException]
proc_open(): fork failed - Cannot allocate memory
I was able to fix the issue by following the link in the error message: https://getcomposer.org/doc/articles/troubleshooting.md#proc-open-fork-failed-errors. Increasing the swap space fixed this issue.
sudo /bin/dd if=/dev/zero of=/var/swap.1 bs=1M count=1024 sudo /sbin/mkswap /var/swap.1 sudo /sbin/swapon /var/swap.1
Issue 2: Nothing to install or update
composer update
> DrupalProject\composer\ScriptHandler::checkComposerVersion Loading composer repositories with package information Updating dependencies (including require-dev) Nothing to install or update
This was another trivial issue. The composer.json file was restricted the update from updating past version 8.5.1
composer prohibits drupal/core:8.5.3
drupal-composer/drupal-project - requires drupal/core (8.5.1)
Changing the require section in the composer.json from:
“require”:{
"drupal/core": "8.5.1",
}
To
“require”:{
"drupal/core": "~8.5",
}
This tells composer that it can update to the latest version of the Drupal core in 8.5.x.
composer update
> DrupalProject\composer\ScriptHandler::checkComposerVersion Loading composer repositories with package information Updating dependencies (including require-dev) Package operations: 0 installs, 1 update, 0 removals - Updating drupal/core (8.5.1 => 8.5.3): Checking out b012f0ae51 Writing lock file Generating autoload files Downloading (100%)Downloading (100%)Downloading (100%)Downloading (100%)Downloading (100%)Downloading (100%)Downloading (100%)Downloading (100%)Downloading (100%)Downloading (100%)Downloading (100%)Downloading (100%)Downloading (100%)Downloading (100%)Downloading (100%)Downloading (100%)> DrupalProject\composer\ScriptHandler::createRequiredFiles
Success!