From security-news at drupal.org Wed Jul 21 16:38:46 2021 From: security-news at drupal.org (security-news at drupal.org) Date: Wed, 21 Jul 2021 16:38:46 +0000 (UTC) Subject: [Security-news] Drupal core - Critical - Drupal core - Critical - Third-party libraries - SA-CORE-2021-004 Message-ID: View online: https://www.drupal.org/sa-core-2021-004 Project: Drupal core [1] Date: 2021-July-21 Security risk: *Critical* 15∕25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon [2] Vulnerability: Drupal core - Critical - Third-party libraries CVE IDs: CVE-2021-32610 Description:  The Drupal project uses the pear Archive_Tar library, which has released a security update that impacts Drupal. The vulnerability is mitigated by the fact that Drupal core's use of the Archive_Tar library is not vulnerable, as it does not permit symlinks. Exploitation may be possible if contrib or custom code uses the library to extract tar archives (for example .tar, .tar.gz, .bz2, or .tlz) which come from a potentially untrusted source. This advisory is not covered by Drupal Steward [3]. Solution:  Install the latest version: * If you are using Drupal 9.2, update to Drupal 9.2.2 [4]. * If you are using Drupal 9.1, update to Drupal 9.1.11 [5]. * If you are using Drupal 8.9, update to Drupal 8.9.17 [6]. * If you are using Drupal 7, update to Drupal 7.82 [7]. Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are end-of-life and do not receive security coverage. Reported By:  * Drew Webber [8] of the Drupal Security Team Fixed By:  * Drew Webber [9] of the Drupal Security Team * michieltcs [10] * Heine [11] of the Drupal Security Team * Jess [12] of the Drupal Security Team * Lee Rowlands [13] of the Drupal Security Team [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/steward [4] https://www.drupal.org/project/drupal/releases/9.2.2 [5] https://www.drupal.org/project/drupal/releases/9.1.11 [6] https://www.drupal.org/project/drupal/releases/8.9.17 [7] https://www.drupal.org/project/drupal/releases/7.82 [8] https://www.drupal.org/user/255969 [9] https://www.drupal.org/user/255969 [10] https://www.drupal.org/user/3587972 [11] https://www.drupal.org/user/17943 [12] https://www.drupal.org/user/65776 [13] https://www.drupal.org/user/395439 From security-news at drupal.org Wed Jul 21 17:00:30 2021 From: security-news at drupal.org (security-news at drupal.org) Date: Wed, 21 Jul 2021 17:00:30 +0000 (UTC) Subject: [Security-news] Form mode manager - Moderately critical - Access bypass - SA-CONTRIB-2021-023 Message-ID: View online: https://www.drupal.org/sa-contrib-2021-023 Project: Form mode manager [1] Date: 2021-July-21 Security risk: *Moderately critical* 11∕25 AC:Basic/A:User/CI:None/II:Some/E:Proof/TD:Default [2] Vulnerability: Access bypass Description:  This module provides a user interface that allows the implementation and use of /Form modes/ without custom development. The module does not sufficiently respect access restrictions to entity forms for routes it creates to use specific form modes. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to use a specific form mode, for example use X form mode. Solution:  Install the latest version: * If you use the Form mode manager module 8.x-1.x series for Drupal 8, upgrade to form_mode_manager 8.x-1.4 [3]. Reported By:  * Byron Duvall [4] * Jason Partyka [5] * Bec [6] Fixed By:  * Byron Duvall [7] * Derek Wright [8] Coordinated By:  * Greg Knaddison [9] of the Drupal Security Team * Damien McKenna [10] of the Drupal Security Team [1] https://www.drupal.org/project/form_mode_manager [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/form_mode_manager/releases/8.x-1.4 [4] https://www.drupal.org/user/1279040 [5] https://www.drupal.org/user/344048 [6] https://www.drupal.org/user/81067 [7] https://www.drupal.org/user/1279040 [8] https://www.drupal.org/user/46549 [9] https://www.drupal.org/user/36762 [10] https://www.drupal.org/user/108450 From security-news at drupal.org Wed Jul 28 16:58:29 2021 From: security-news at drupal.org (security-news at drupal.org) Date: Wed, 28 Jul 2021 16:58:29 +0000 (UTC) Subject: [Security-news] Pages Restriction Access - Critical - Access bypass - SA-CONTRIB-2021-024 Message-ID: View online: https://www.drupal.org/sa-contrib-2021-024 Project: Pages Restriction Access [1] Date: 2021-July-28 Security risk: *Critical* 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Access bypass Description:  This project enables administrators to restrict access from anonymous and regular users to pre-defined pages. The administration routes used by the project lacked proper permissions, allowing untrusted users to access, create and modify the module's settings. Solution:  Install the latest version: * If you use the Pages Restriction Access for Drupal 8.x, upgrade to Pages Restriction Access for Drupal 8.x-1.4 [3] Reported By:  * Murilo Marchi [4] Fixed By:  * Renato Gonçalves H [5] * Vitor Grillo [6] Coordinated By:  * Chris McCafferty [7] of the Drupal Security Team * Greg Knaddison [8] of the Drupal Security Team [1] https://www.drupal.org/project/pages_restriction [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/pages_restriction/releases/8.x-1.4 [4] https://www.drupal.org/user/3681454 [5] https://www.drupal.org/user/3326031 [6] https://www.drupal.org/user/3436121 [7] https://www.drupal.org/u/cilefen [8] https://www.drupal.org/user/36762