Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details.
- If you are using Drupal 8.6.x, upgrade to Drupal 8.6.6.
- If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.9.
- If you are using Drupal 7.x, upgrade to Drupal 7.62.
Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.
- Jess of the Drupal Security Team
- Ayesh Karunaratne
- michieltcs
- Lee Rowlands of the Drupal Security Team
- Alex Pott of the Drupal Security Team
Known issues
Users are reporting seeing a fatal error when updating their sites with Drush. Site owners may be able to run drush updb and either drush cc all or drush cr depending on the version to complete the update. Check the status report afterward to confirm that Drupal has been updated. See https://www.drupal.org/project/drupal/issues/3026386 for details.
Additional information
Note: Going forward, Drupal core will issue individual security advisories for separate vulnerabilities included in the release, rather than lumping "multiple vulnerabilities" into a single advisory. All advisories released today:
Updating to the latest Drupal core release will apply the fixes for all the above advisories.