There is a serious PHP bug for which there are exploits in the wild affecting the the PHP session extension (ext/session); vulnerable versions include PHP < 5.4.45, < 5.5.29, < 5.6.13. The bug has only been partially publicly disclosed, so for the moment, we can’t give precise technical details.
PHP released fixed versions on September 4th, but there has been some recent coverage of this vulnerability, which is why we’re discussing it now. We’d like to reassure our customers that their sites have been updated automatically and aren’t vulnerable to the issue, and that no further action is required by customers.
Furthermore, after careful analysis, we determined that Drupal 7 and Drupal 8 were not vulnerable to this issue at any time. Other PHP programs may be affected (Joomla! CMS versions 1.5.0 through 3.4.5 are known to be vulnerable, but many others might be).
If you don’t host your site on Platform.sh you are encouraged to update your PHP to a current version. If you are on Platform.sh enjoy the holiday season, we’ve got you covered.