[Security-news] Drupal core - Critical - Third Party Libraries - SA-CORE-2019-001
security-news at drupal.org
security-news at drupal.org
Wed Jan 16 18:41:55 UTC 2019
View online: https://www.drupal.org/sa-core-2019-001
Project: Drupal core [1]
Date: 2019-January-16
Security risk: *Critical* 16∕25
AC:Complex/A:User/CI:All/II:All/E:Proof/TD:Uncommon [2]
Vulnerability: Third Party Libraries
Description:
Drupal core uses the third-party PEAR Archive_Tar library. This library has
released a security update which impacts some Drupal configurations. Refer to
CVE-2018-1000888 [3] for details.
Solution:
* If you are using Drupal 8.6.x, upgrade to Drupal 8.6.6 [4].
* If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.9 [5].
* If you are using Drupal 7.x, upgrade to Drupal 7.62 [6].
Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive
security coverage.
Reported By:
* Ayesh Karunaratne [7]
* farisv [8]
Fixed By:
* Jess [9] of the Drupal Security Team
* Ayesh Karunaratne [10]
* michieltcs [11]
* Lee Rowlands [12] of the Drupal Security Team
* Alex Pott [13] of the Drupal Security Team
-------- ADDITIONAL INFORMATION
----------------------------------------------
Note: Going forward, Drupal core will issue individual security advisories
for separate vulnerabilities included in the release, rather than lumping
"multiple vulnerabilities" into a single advisory. All advisories released
today:
* SA-CORE-2019-001 [14]
* SA-CORE-2019-002 [15]
Updating to the latest Drupal core release will apply the fixes for all the
above advisories.
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://nvd.nist.gov/vuln/detail/CVE-2018-1000888
[4] https://www.drupal.org/project/drupal/releases/8.6.6
[5] https://www.drupal.org/project/drupal/releases/8.5.9
[6] https://www.drupal.org/project/drupal/releases/7.62
[7] https://www.drupal.org/user/796148
[8] https://www.drupal.org/u/farisv
[9] https://www.drupal.org/user/65776
[10] https://www.drupal.org/user/796148
[11] https://www.drupal.org/u/michieltcs
[12] https://www.drupal.org/user/395439
[13] https://www.drupal.org/u/alexpott
[14] https://www.drupal.org/sa-core-2019-001
[15] https://www.drupal.org/sa-core-2019-002
More information about the Security-news
mailing list