it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Drupal core - Critical - Multiple vulnerabilities - SA-CORE-2019-012
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Drupal core - Critical - Multiple vulnerabilities - SA-CORE-2019-012
- Date: Wed, 18 Dec 2019 19:54:47 +0000 (UTC)
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-core-2019-012
Project: Drupal core [1]
Version: 8.8.x-dev8.7.x-dev7.x-dev
Date: 2019-December-18
Security risk: *Critical* 17∕25
AC:Basic/A:User/CI:All/II:All/E:Proof/TD:Uncommon [2]
Vulnerability: Multiple vulnerabilities
Description:
The Drupal project uses the third-party library Archive_Tar [3], which has
released a security update that impacts some Drupal configurations.
Multiple vulnerabilities are possible if Drupal is configured to allow .tar,
.tar.gz, .bz2 or .tlz file uploads and processes them.
The latest versions of Drupal update Archive_Tar to 1.4.9 to mitigate the
file processing vulnerabilities.
Solution:
Install the latest version:
* If you are using Drupal 7.x, upgrade to Drupal 7.69 [4].
* If you are using Drupal 8.7.x, upgrade to Drupal 8.7.11 [5].
* If you are using Drupal 8.8.x, upgrade to Drupal 8.8.1 [6].
Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive
security coverage.
Reported By:
* Jasper Mattsson [7]
Fixed By:
* Lee Rowlands [8] of the Drupal Security Team
* Peter Wolanin [9] of the Drupal Security Team
* Sam Becker [10]
* Jasper Mattsson [11]
* David Rothstein [12] of the Drupal Security Team
* michieltcs [13]
* Ayesh Karunaratne [14]
* Alex Pott [15] of the Drupal Security Team
* Jess [16] of the Drupal Security Team
* Samuel Mortenson [17] of the Drupal Security Team
* Vijaya Chandran Mani [18]
* Drew Webber [19] of the Drupal Security Team
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://pear.php.net/package/Archive_Tar/
[4] https://www.drupal.org/project/drupal/releases/7.69
[5] https://www.drupal.org/project/drupal/releases/8.7.11
[6] https://www.drupal.org/project/drupal/releases/8.8.1
[7] https://www.drupal.org/user/521118
[8] https://www.drupal.org/user/395439
[9] https://www.drupal.org/user/49851
[10] https://www.drupal.org/user/1485048
[11] https://www.drupal.org/user/521118
[12] https://www.drupal.org/user/124982
[13] https://www.drupal.org/user/3587972
[14] https://www.drupal.org/user/796148
[15] https://www.drupal.org/user/157725
[16] https://www.drupal.org/user/65776
[17] https://www.drupal.org/user/2582268
[18] https://www.drupal.org/user/93488
[19] https://www.drupal.org/user/255969
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Drupal core - Critical - Multiple vulnerabilities - SA-CORE-2019-012, security-news, 18.12.2019
Archiv bereitgestellt durch MHonArc 2.6.19.