The Drupal project uses the third-party library Archive_Tar, which has released a security improvement that is needed to protect some Drupal configurations.
Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them.
The latest versions of Drupal update Archive_Tar to 1.4.9 to mitigate the file processing vulnerabilities.
Edited to clarify the nature of the upstream release.Solution:
Install the latest version:
- If you are using Drupal 7.x, upgrade to Drupal 7.69.
- If you are using Drupal 8.7.x, upgrade to Drupal 8.7.11.
- If you are using Drupal 8.8.x, upgrade to Drupal 8.8.1.
Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.Additional information
All advisories released today:
Updating to the latest Drupal core release will apply the fixes for all the above advisories.
(Note that this SA is the only one in the list that applies to Drupal 7.x)Reported By:
- Lee Rowlands of the Drupal Security Team
- Peter Wolanin of the Drupal Security Team
- Sam Becker
- Jasper Mattsson
- David Rothstein of the Drupal Security Team
- Ayesh Karunaratne
- Alex Pott of the Drupal Security Team
- Jess of the Drupal Security Team
- Samuel Mortenson of the Drupal Security Team
- Vijaya Chandran Mani Provisional Security Team Member
- Drew Webber of the Drupal Security Team