Just a little Q&A for those who missed the announcement last week or not sure what to do.
What happened exactly?
On March 21th the Drupal Security Team released a public service announcement, codenamed as PSA-2018-001, for the upcoming security patch for the Drupal core 6.x, 7.x, 8.3.x, 8.4.x, and 8.5.x versions.
So, nothing really happened yet?
The early announcement is made a week prior to the patch release in order to prepare Drupal users to stay alert on March 28th, 2018 between 18:00 - 19:30 UTC and apply the security fix as soon as it's published.
What if I'm still running on 8.3.x and 8.4.x versions?
Well, you shouldn't use them today, as they are no longer supported, however as an exception and due to a severity of the discovered issue the Drupal Security Team will provide the patches for them. Please note that for the painless update it's recommended to update to the latest 8.3.x and 8.4.x releases before the announcement is made, apply the patch on March 28th, and then plan the upgrade to the 8.5.x.
What if I'm still running on 6.x version
You should talk to commercial [service providers](https://www.drupal.org/project/d6lts in this case, or be prepared to adjust the fix for your version and apply it by yourself.
What happens if I ignore the update?
After the information about the security vulnerability is disclosed, people with malicious intentions (hackers, spammers, scammers etc.) will start developing exploits and in general, all sorts of bad things might happen with your sites.
I only hope it won't be the next [Drupageddon]https://www.drupal.org/SA-CORE-2014-005) where, as we remember, no site was considered safe only after a few hours after the announcement, if the update was ignored.
Stay safe, folks!