The Drupal project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Drupal. For more information please see:
Multiple vulnerabilities are possible if Drupal is configured to allow
.tlz file uploads and processes them.
To mitigate this issue, prevent untrusted users from uploading
This is a different issue than SA-CORE-2019-012. Similar configuration changes may mitigate the problem until you are able to patch.
Install the latest version:
- If you are using Drupal 9.0, update to Drupal 9.0.9
- If you are using Drupal 8.9, update to Drupal 8.9.10
- If you are using Drupal 8.8 or earlier, update to Drupal 8.8.12
- If you are using Drupal 7, update to Drupal 7.75
Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.
According to the regular security release window schedule, November 25th would not typically be a core security window. However, this release is necessary because there are known exploits for one of core's dependencies and some configurations of Drupal are vulnerable.
- Jess of the Drupal Security Team
- Drew Webber of the Drupal Security Team
- Michael Hess of the Drupal Security Team
- Neil Drumm of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team