View online: https://www.drupal.org/sa-core-2019-001
Project: Drupal core [1] Date: 2019-January-16 Security risk: *Critical* 16∕25 AC:Complex/A:User/CI:All/II:All/E:Proof/TD:Uncommon [2] Vulnerability: Third Party Libraries
Description: Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 [3] for details.
Solution: * If you are using Drupal 8.6.x, upgrade to Drupal 8.6.6 [4]. * If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.9 [5]. * If you are using Drupal 7.x, upgrade to Drupal 7.62 [6].
Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.
Reported By: * Ayesh Karunaratne [7] * farisv [8]
Fixed By: * Jess [9] of the Drupal Security Team * Ayesh Karunaratne [10] * michieltcs [11] * Lee Rowlands [12] of the Drupal Security Team * Alex Pott [13] of the Drupal Security Team
-------- ADDITIONAL INFORMATION ----------------------------------------------
Note: Going forward, Drupal core will issue individual security advisories for separate vulnerabilities included in the release, rather than lumping "multiple vulnerabilities" into a single advisory. All advisories released today:
* SA-CORE-2019-001 [14] * SA-CORE-2019-002 [15]
Updating to the latest Drupal core release will apply the fixes for all the above advisories.
[1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://nvd.nist.gov/vuln/detail/CVE-2018-1000888 [4] https://www.drupal.org/project/drupal/releases/8.6.6 [5] https://www.drupal.org/project/drupal/releases/8.5.9 [6] https://www.drupal.org/project/drupal/releases/7.62 [7] https://www.drupal.org/user/796148 [8] https://www.drupal.org/u/farisv [9] https://www.drupal.org/user/65776 [10] https://www.drupal.org/user/796148 [11] https://www.drupal.org/u/michieltcs [12] https://www.drupal.org/user/395439 [13] https://www.drupal.org/u/alexpott [14] https://www.drupal.org/sa-core-2019-001 [15] https://www.drupal.org/sa-core-2019-002