Zum Inhalt springen.

Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Drupal core - Critical - Third-party libraries - SA-CORE-2021-001

Menü für Listeneinstellungen

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Drupal core - Critical - Third-party libraries - SA-CORE-2021-001

From: security-news AT drupal.org
To: security-news AT drupal.org
Subject: [IT-SecNots] [Security-news] Drupal core - Critical - Third-party libraries - SA-CORE-2021-001
Date: Wed, 20 Jan 2021 17:19:35 +0000 (UTC)
List-archive: <http://lists.drupal.org/pipermail/security-news/>
List-id: <security-news.drupal.org>

View online: https://www.drupal.org/sa-core-2021-001

Project: Drupal core [1]
Date: 2021-January-20
Security risk: *Critical* 18∕25
AC:Complex/A:User/CI:All/II:All/E:Exploit/TD:Uncommon [2]
Vulnerability: Third-party libraries

Description:
The Drupal project uses the pear Archive_Tar library, which has released a
security update that impacts Drupal. For more information please see:

* CVE-2020-36193 [3]

Exploits may be possible if Drupal is configured to allow .tar, .tar.gz,
.bz2, or .tlz file uploads and processes them.

Solution:
Install the latest version:

* If you are using Drupal 9.1, update to Drupal 9.1.3 [4].
* If you are using Drupal 9.0, update to Drupal 9.0.11 [5].
* If you are using Drupal 8.9, update to Drupal 8.9.13 [6].
* If you are using Drupal 7, update to Drupal 7.78 [7].

Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive
security coverage.

Disable uploads of .tar, .tar.gz, .bz2, or .tlz files to mitigate the
vulnerability.

Reported By:
* Richard Sheppard [8]
* Stephen Cross [9]
* Jonathan Danaher [10]
* Kim Pepper [11]

Fixed By:
* Lee Rowlands [12] of the Drupal Security Team
* Drew Webber [13] of the Drupal Security Team
* Greg Knaddison [14] of the Drupal Security Team
* Vijay Mani [15]
* Jess [16] of the Drupal Security Team
* Michael Hess [17] of the Drupal Security Team

[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36193
[4] https://www.drupal.org/project/drupal/releases/9.1.3
[5] https://www.drupal.org/project/drupal/releases/9.0.11
[6] https://www.drupal.org/project/drupal/releases/8.9.13
[7] https://www.drupal.org/project/drupal/releases/7.78
[8] https://www.drupal.org/user/55284
[9] https://www.drupal.org/user/2485138
[10] https://www.drupal.org/user/1771466
[11] https://www.drupal.org/user/370574
[12] https://www.drupal.org/user/395439
[13] https://www.drupal.org/user/255969
[14] https://www.drupal.org/user/36762
[15] https://www.drupal.org/user/93488
[16] https://www.drupal.org/user/65776
[17] https://www.drupal.org/user/102818

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

[IT-SecNots] [Security-news] Drupal core - Critical - Third-party libraries - SA-CORE-2021-001, security-news, 20.01.2021

Archiv bereitgestellt durch MHonArc 2.6.24.