Zum Inhalt springen.

Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Drupal core - Moderately critical - Third-party libraries - SA-CORE-2019-007

Menü für Listeneinstellungen

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Drupal core - Moderately critical - Third-party libraries - SA-CORE-2019-007

From: security-news AT drupal.org
To: security-news AT drupal.org
Subject: [IT-SecNots] [Security-news] Drupal core - Moderately critical - Third-party libraries - SA-CORE-2019-007
Date: Wed, 8 May 2019 17:27:29 +0000 (UTC)
List-archive: <http://lists.drupal.org/pipermail/security-news/>
List-id: <security-news.drupal.org>

View online: https://www.drupal.org/sa-core-2019-007

Project: Drupal core [1]
Date: 2019-May-08
Security risk: *Moderately critical* 14∕25
AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon [2]
Vulnerability: Third-party libraries

Description:
This security release fixes third-party dependencies included in or required
by Drupal core. As described in TYPO3-PSA-2019-007: By-passing protection of
Phar Stream Wrapper Interceptor [3]:

>In order to intercept file invocations like file_exists or stat on
>compromised Phar archives the base name has to be determined and checked
>before allowing to be handled by PHP Phar stream handling. [...]
>
>The current implementation is vulnerable to path traversal leading to
>scenarios where the Phar archive to be assessed is not the actual
>(compromised) file.
>
Solution:
Install the latest version:

* If you are using Drupal 8.7, update to Drupal 8.7.1 [4]
* If you are using Drupal 8.6 or earlier, update to Drupal 8.6.16 [5].
* If you are using Drupal 7, update to Drupal 7.67 [6].

Versions of Drupal 8 prior to 8.6.x are end-of-life and do not receive
security coverage.

Also see the Drupal core [7] project page.

Reported By:
* Daniel Le Gall [8]

Fixed By:
* Jess [9] of the Drupal Security Team
* Michael Hess [10] of the Drupal Security Team
* Oliver Hader [11]
* David Snopek [12] of the Drupal Security Team
* Alex Pott [13] of the Drupal Security Team
* Daniel Le Gall [14]
* Tim Plunkett [15]

[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://typo3.org/security/advisory/typo3-psa-2019-007/
[4] https://www.drupal.org/project/drupal/releases/8.7.1
[5] https://www.drupal.org/project/drupal/releases/8.6.16
[6] https://www.drupal.org/project/drupal/releases/7.67
[7] https://www.drupal.org/project/drupal
[8] https://www.drupal.org/user/3606561
[9] https://www.drupal.org/user/65776
[10] https://www.drupal.org/user/102818
[11] https://www.drupal.org/user/3602633
[12] https://www.drupal.org/user/266527
[13] https://www.drupal.org/user/157725
[14] https://www.drupal.org/user/3606561
[15] https://www.drupal.org/user/241634

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

[IT-SecNots] [Security-news] Drupal core - Moderately critical - Third-party libraries - SA-CORE-2019-007, security-news, 08.05.2019

Archiv bereitgestellt durch MHonArc 2.6.19.