View online: https://www.drupal.org/sa-core-2019-007
Project: Drupal core [1] Date: 2019-May-08 Security risk: *Moderately critical* 14∕25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon [2] Vulnerability: Third-party libraries
Description: This security release fixes third-party dependencies included in or required by Drupal core. As described in TYPO3-PSA-2019-007: By-passing protection of Phar Stream Wrapper Interceptor [3]:
In order to intercept file invocations like file_exists or stat on compromised Phar archives the base name has to be determined and checked before allowing to be handled by PHP Phar stream handling. [...]
The current implementation is vulnerable to path traversal leading to scenarios where the Phar archive to be assessed is not the actual (compromised) file.
Solution: Install the latest version:
* If you are using Drupal 8.7, update to Drupal 8.7.1 [4] * If you are using Drupal 8.6 or earlier, update to Drupal 8.6.16 [5]. * If you are using Drupal 7, update to Drupal 7.67 [6].
Versions of Drupal 8 prior to 8.6.x are end-of-life and do not receive security coverage.
Also see the Drupal core [7] project page.
Reported By: * Daniel Le Gall [8]
Fixed By: * Jess [9] of the Drupal Security Team * Michael Hess [10] of the Drupal Security Team * Oliver Hader [11] * David Snopek [12] of the Drupal Security Team * Alex Pott [13] of the Drupal Security Team * Daniel Le Gall [14] * Tim Plunkett [15]
[1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://typo3.org/security/advisory/typo3-psa-2019-007/ [4] https://www.drupal.org/project/drupal/releases/8.7.1 [5] https://www.drupal.org/project/drupal/releases/8.6.16 [6] https://www.drupal.org/project/drupal/releases/7.67 [7] https://www.drupal.org/project/drupal [8] https://www.drupal.org/user/3606561 [9] https://www.drupal.org/user/65776 [10] https://www.drupal.org/user/102818 [11] https://www.drupal.org/user/3602633 [12] https://www.drupal.org/user/266527 [13] https://www.drupal.org/user/157725 [14] https://www.drupal.org/user/3606561 [15] https://www.drupal.org/user/241634