[Security-news] Drupal core - Moderately critical - Third-party libraries - SA-CORE-2019-007
security-news at drupal.org
security-news at drupal.org
Wed May 8 17:27:29 UTC 2019
View online: https://www.drupal.org/sa-core-2019-007
Project: Drupal core [1]
Date: 2019-May-08
Security risk: *Moderately critical* 14∕25
AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon [2]
Vulnerability: Third-party libraries
Description:
This security release fixes third-party dependencies included in or required
by Drupal core. As described in TYPO3-PSA-2019-007: By-passing protection of
Phar Stream Wrapper Interceptor [3]:
>In order to intercept file invocations like file_exists or stat on
>compromised Phar archives the base name has to be determined and checked
>before allowing to be handled by PHP Phar stream handling. [...]
>
>The current implementation is vulnerable to path traversal leading to
>scenarios where the Phar archive to be assessed is not the actual
>(compromised) file.
>
Solution:
Install the latest version:
* If you are using Drupal 8.7, update to Drupal 8.7.1 [4]
* If you are using Drupal 8.6 or earlier, update to Drupal 8.6.16 [5].
* If you are using Drupal 7, update to Drupal 7.67 [6].
Versions of Drupal 8 prior to 8.6.x are end-of-life and do not receive
security coverage.
Also see the Drupal core [7] project page.
Reported By:
* Daniel Le Gall [8]
Fixed By:
* Jess [9] of the Drupal Security Team
* Michael Hess [10] of the Drupal Security Team
* Oliver Hader [11]
* David Snopek [12] of the Drupal Security Team
* Alex Pott [13] of the Drupal Security Team
* Daniel Le Gall [14]
* Tim Plunkett [15]
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://typo3.org/security/advisory/typo3-psa-2019-007/
[4] https://www.drupal.org/project/drupal/releases/8.7.1
[5] https://www.drupal.org/project/drupal/releases/8.6.16
[6] https://www.drupal.org/project/drupal/releases/7.67
[7] https://www.drupal.org/project/drupal
[8] https://www.drupal.org/user/3606561
[9] https://www.drupal.org/user/65776
[10] https://www.drupal.org/user/102818
[11] https://www.drupal.org/user/3602633
[12] https://www.drupal.org/user/266527
[13] https://www.drupal.org/user/157725
[14] https://www.drupal.org/user/3606561
[15] https://www.drupal.org/user/241634
More information about the Security-news
mailing list