Drupal core - Critical - Third-party libraries - SA-CORE-2021-001

Drupal core - Critical - Third-party libraries - SA-CORE-2021-001

Project: Drupal core
Date: 2021-January-20
Security risk: Critical 18∕25
Vulnerability: Third-party libraries

Description

The Drupal project uses the pear Archive_Tar library, which has released a security update that impacts Drupal. For more information please see:

Exploits may be possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them.

Solution:
Install the latest version:

If you are using Drupal 9.1, update to Drupal 9.1.3.
If you are using Drupal 9.0, update to Drupal 9.0.11.
If you are using Drupal 8.9, update to Drupal 8.9.13.
If you are using Drupal 7, update to Drupal 7.78.
Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage.

Disable uploads of .tar, .tar.gz, .bz2, or .tlz files to mitigate the vulnerability.

Nick Onom's picture
Nick Onom
Marketing Project Manager
Enthusiastic about all kind of Open Source applications, AI, bitcoins, but mostly about Drupal. For last years has been actively developing AltaGrade's new back-end system.

We value your opinion. Please add your feedback.