Drupal

Project: Drupal coreDate: 2019-July-17Security risk: Critical 17∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassCVE IDs: CVE-2019-6342Description: 

In Drupal 8.7.4, when the experimental Workspaces module is enabled, an access bypass condition is created.

This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.

Drupal 8.7.3 and earlier, Drupal 8.6.x and earlier, and Drupal 7.x are not affected.

Solution: 

If the site is running Drupal 8.7.4, upgrade to Drupal 8.7.5.

Note, manual step needed. For sites with the Workspaces module enabled, update.php needs to run to ensure a required cache clear. If there is a reverse proxy cache or content delivery network (e.g. Varnish, CloudFlare) it is also advisable to clear these as well.

Reported By: 

• Dave Botsch

Fixed By: 

• Michael Hess of the Drupal Security Team
• Jess of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team
• Chris McCafferty of the Drupal Security Team
• Neil Drumm of the Drupal Security Team
• Alex Pott of the Drupal Security Team
• Andrei Mateescu

Project: Drupal coreDate: 2019-May-08Security risk: Moderately critical 14∕25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Third-party librariesCVE IDs: CVE-2019-11831Description: 

This security release fixes third-party dependencies included in or required by Drupal core. As described in TYPO3-PSA-2019-007: By-passing protection of Phar Stream Wrapper Interceptor:

In order to intercept file invocations like file_exists or stat on compromised Phar archives the base name has to be determined and checked before allowing to be handled by PHP Phar stream handling. [...]

The current implementation is vulnerable to path traversal leading to scenarios where the Phar archive to be assessed is not the actual (compromised) file.

The known vulnerability in Drupal core requires the "administer themes" permission. However, additional vulnerabilities may exist in contributed or custom modules, so site should still update even if they do not grant this permission.

Solution: 

Install the latest version:

• If you are using Drupal 8.7, update to Drupal 8.7.1
• If you are using Drupal 8.6 or earlier, update to Drupal 8.6.16.
• If you are using Drupal 7, update to Drupal 7.67.

Versions of Drupal 8 prior to 8.6.x are end-of-life and do not receive security coverage.

Also see the Drupal core project page.

Reported By: 

• Daniel Le Gall

Fixed By: 

• Jess of the Drupal Security Team
• Michael Hess of the Drupal Security Team
• Oliver Hader
• David Snopek of the Drupal Security Team
• Alex Pott of the Drupal Security Team
• Daniel Le Gall
• Tim Plunkett