Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Drupal core - Critical - Third Party Libraries - SA-CORE-2019-001

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Drupal core - Critical - Third Party Libraries - SA-CORE-2019-001


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Drupal core - Critical - Third Party Libraries - SA-CORE-2019-001
  • Date: Wed, 16 Jan 2019 18:41:55 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-core-2019-001

Project: Drupal core [1]
Date: 2019-January-16
Security risk: *Critical* 16∕25
AC:Complex/A:User/CI:All/II:All/E:Proof/TD:Uncommon [2]
Vulnerability: Third Party Libraries

Description: 
Drupal core uses the third-party PEAR Archive_Tar library. This library has
released a security update which impacts some Drupal configurations. Refer to
CVE-2018-1000888 [3] for details.

Solution: 
* If you are using Drupal 8.6.x, upgrade to Drupal 8.6.6 [4].
* If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.9 [5].
* If you are using Drupal 7.x, upgrade to Drupal 7.62 [6].

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive
security coverage.

Reported By: 
* Ayesh Karunaratne [7]
* farisv [8]

Fixed By: 
* Jess [9] of the Drupal Security Team
* Ayesh Karunaratne [10]
* michieltcs [11]
* Lee Rowlands [12] of the Drupal Security Team
* Alex Pott [13] of the Drupal Security Team

-------- ADDITIONAL INFORMATION
----------------------------------------------

Note: Going forward, Drupal core will issue individual security advisories
for separate vulnerabilities included in the release, rather than lumping
"multiple vulnerabilities" into a single advisory. All advisories released
today:

* SA-CORE-2019-001 [14]
* SA-CORE-2019-002 [15]

Updating to the latest Drupal core release will apply the fixes for all the
above advisories.


[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://nvd.nist.gov/vuln/detail/CVE-2018-1000888
[4] https://www.drupal.org/project/drupal/releases/8.6.6
[5] https://www.drupal.org/project/drupal/releases/8.5.9
[6] https://www.drupal.org/project/drupal/releases/7.62
[7] https://www.drupal.org/user/796148
[8] https://www.drupal.org/u/farisv
[9] https://www.drupal.org/user/65776
[10] https://www.drupal.org/user/796148
[11] https://www.drupal.org/u/michieltcs
[12] https://www.drupal.org/user/395439
[13] https://www.drupal.org/u/alexpott
[14] https://www.drupal.org/sa-core-2019-001
[15] https://www.drupal.org/sa-core-2019-002

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Drupal core - Critical - Third Party Libraries - SA-CORE-2019-001, security-news, 16.01.2019

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang