Drupal

Project: Drupal coreVersion: 8.8.x-dev8.7.x-dev7.x-devDate: 2019-December-18Security risk: Critical 17∕25 AC:Basic/A:User/CI:All/II:All/E:Proof/TD:UncommonVulnerability: Multiple vulnerabilitiesDescription: 

The Drupal project uses the third-party library Archive_Tar, which has released a security improvement that is needed to protect some Drupal configurations.

Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them.

The latest versions of Drupal update Archive_Tar to 1.4.9 to mitigate the file processing vulnerabilities.

Edited to clarify the nature of the upstream release.

Solution: 

Install the latest version:

• If you are using Drupal 7.x, upgrade to Drupal 7.69.
• If you are using Drupal 8.7.x, upgrade to Drupal 8.7.11.
• If you are using Drupal 8.8.x, upgrade to Drupal 8.8.1.

Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.

Additional information

All advisories released today:

• SA-CORE-2019-009
• SA-CORE-2019-010
• SA-CORE-2019-011
• SA-CORE-2019-012

Updating to the latest Drupal core release will apply the fixes for all the above advisories.

(Note that this SA is the only one in the list that applies to Drupal 7.x)

Reported By: 

• Jasper Mattsson

Fixed By: 

• Lee Rowlands of the Drupal Security Team
• Peter Wolanin of the Drupal Security Team
• Sam Becker
• Jasper Mattsson
• David Rothstein of the Drupal Security Team
• michieltcs
• Ayesh Karunaratne
• Alex Pott of the Drupal Security Team
• Jess of the Drupal Security Team
• Samuel Mortenson of the Drupal Security Team
• Vijaya Chandran Mani Provisional Security Team Member
• Drew Webber of the Drupal Security Team

Project: Drupal coreVersion: 8.8.x-dev8.7.x-devDate: 2019-December-18Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

The Media Library module has a security vulnerability whereby it doesn't sufficiently restrict access to media items in certain configurations.

Solution: 

• If you are using Drupal 8.7.x, you should upgrade to Drupal 8.7.11.
• If you are using Drupal 8.8.x, you should upgrade to Drupal 8.8.1.

Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.

Alternatively, you may mitigate this vulnerability by unchecking the "Enable advanced UI" checkbox on /admin/config/media/media-library. (This mitigation is not available in 8.7.x.)

Additional information

All advisories released today:

• SA-CORE-2019-009
• SA-CORE-2019-010
• SA-CORE-2019-011
• SA-CORE-2019-012

Updating to the latest Drupal core release will apply the fixes for all the above advisories.

Reported By: 

• Adam G-H

Fixed By: 

• Adam G-H
• Jess of the Drupal Security Team
• Andrei Mateescu
• Greg Knaddison of the Drupal Security Team
• Alex Bronstein of the Drupal Security Team
• Sean Blommaert
• Lee Rowlands of the Drupal Security Team

Project: Drupal coreVersion: 8.8.x-dev8.7.x-devDate: 2019-December-18Security risk: Moderately critical 14∕25 AC:Basic/A:Admin/CI:Some/II:All/E:Theoretical/TD:DefaultVulnerability: Multiple vulnerabilitiesDescription: 

Drupal 8 core's file_save_upload() function does not strip the leading and trailing dot ('.') from filenames, like Drupal 7 did.

Users with the ability to upload files with any extension in conjunction with contributed modules may be able to use this to upload system files such as .htaccess in order to bypass protections afforded by Drupal's default .htaccess file.

After this fix, file_save_upload() now trims leading and trailing dots from filenames.

Solution: 

Install the latest version:

• If you use Drupal core 8.7.x: 8.7.11
• If you use Drupal core 8.8.x: 8.8.1

Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.

Additional information

All advisories released today:

• SA-CORE-2019-009
• SA-CORE-2019-010
• SA-CORE-2019-011
• SA-CORE-2019-012

Updating to the latest Drupal core release will apply the fixes for all the above advisories.

Reported By: 

• Rohit Kapur
• Filipe Reis
• Dan Reif
• mramydnei

Fixed By: 

• Lee Rowlands of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team
• Michael Hess of the Drupal Security Team
• Kim Pepper
• Alex Pott of the Drupal Security Team
• Derek Wright
• Jess of the Drupal Security Team
• David Rothstein of the Drupal Security Team

Project: Drupal coreVersion: 8.8.x-dev8.7.x-devDate: 2019-December-18Security risk: Moderately critical 12∕25 AC:None/A:None/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Denial of ServiceDescription: 

A visit to install.php can cause cached data to become corrupted. This could cause a site to be impaired until caches are rebuilt.

Solution: 

Install the latest version:

• If you are using Drupal 8.7.x, upgrade to Drupal 8.7.11.
• If you are using Drupal 8.8.x, upgrade to Drupal 8.8.1.

Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.

To mitigate this issue in any version of Drupal 8, you can also block access to install.php if it's not required.

Additional information

All advisories released today:

• SA-CORE-2019-009
• SA-CORE-2019-010
• SA-CORE-2019-011
• SA-CORE-2019-012

Updating to the latest Drupal core release will apply the fixes for all the above advisories.

Reported By: 

• Drew Webber of the Drupal Security Team

Fixed By: 

• Drew Webber of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team
• Heine of the Drupal Security Team
• Alex Pott of the Drupal Security Team
• Jess of the Drupal Security Team
• Damien McKenna of the Drupal Security Team
• David Snopek of the Drupal Security Team
• Nathaniel Catchpole of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team