diff --git a/core/CHANGELOG.txt b/core/CHANGELOG.txt
index 10e824f9e3e..0436c10b092 100644
--- a/core/CHANGELOG.txt
+++ b/core/CHANGELOG.txt
@@ -1,3 +1,7 @@
+Drupal 8.3.1, 2017-04-19
+------------------------
+- Fixed security issues. See SA-CORE-2017-002.
+
 Drupal 8.3.0, 2017-04-05
 ------------------------
 - Added modules:
diff --git a/core/lib/Drupal.php b/core/lib/Drupal.php
index f15548071d9..defdbffb591 100644
--- a/core/lib/Drupal.php
+++ b/core/lib/Drupal.php
@@ -81,7 +81,7 @@ class Drupal {
   /**
    * The current system version.
    */
-  const VERSION = '8.3.0';
+  const VERSION = '8.3.1';
 
   /**
    * Core API compatibility.
diff --git a/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php b/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php
index d1d43ee900b..3b16d1cddbc 100644
--- a/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php
+++ b/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php
@@ -303,6 +303,19 @@ public function fieldAccess($operation, FieldDefinitionInterface $field_definiti
     // Get the default access restriction that lives within this field.
     $default = $items ? $items->defaultAccess($operation, $account) : AccessResult::allowed();
 
+    // Explicitly disallow changing the entity ID and entity UUID.
+    if ($operation === 'edit') {
+      if ($field_definition->getName() === $this->entityType->getKey('id')) {
+        return $return_as_object ? AccessResult::forbidden('The entity ID cannot be changed') : FALSE;
+      }
+      elseif ($field_definition->getName() === $this->entityType->getKey('uuid')) {
+        // UUIDs can be set when creating an entity.
+        if ($items && ($entity = $items->getEntity()) && !$entity->isNew()) {
+          return $return_as_object ? AccessResult::forbidden('The entity UUID cannot be changed')->addCacheableDependency($entity) : FALSE;
+        }
+      }
+    }
+
     // Get the default access restriction as specified by the access control
     // handler.
     $entity_default = $this->checkFieldAccess($operation, $field_definition, $account, $items);
diff --git a/vendor/squizlabs/php_codesniffer/CodeSniffer.conf b/vendor/squizlabs/php_codesniffer/CodeSniffer.conf
index 992a0a964fe..934d65528da 100644
--- a/vendor/squizlabs/php_codesniffer/CodeSniffer.conf
+++ b/vendor/squizlabs/php_codesniffer/CodeSniffer.conf
@@ -1,5 +1,5 @@
 <?php
  $phpCodeSnifferConfig = array (
-  'installed_paths' => '/Users/ganderson/local/upstreams/update-drops8-tmp.roY/drops-8/vendor/drupal/coder/coder_sniffer',
+  'installed_paths' => '/Users/ganderson/local/upstreams/update-drops8-tmp.8MO/drops-8/vendor/drupal/coder/coder_sniffer',
 )
 ?>
\ No newline at end of file