View online: https://www.drupal.org/sa-core-2019-012

Project: Drupal core [1]
Version: 8.8.x-dev8.7.x-dev7.x-dev
Date: 2019-December-18
Security risk: *Critical* 17∕25
AC:Basic/A:User/CI:All/II:All/E:Proof/TD:Uncommon [2]
Vulnerability: Multiple vulnerabilities

Description: 
The Drupal project uses the third-party library Archive_Tar [3], which has
released a security update that impacts some Drupal configurations.

Multiple vulnerabilities are possible if Drupal is configured to allow .tar,
.tar.gz, .bz2 or .tlz file uploads and processes them.

The latest versions of Drupal update Archive_Tar to 1.4.9 to mitigate the
file processing vulnerabilities.

Solution: 
Install the latest version:

* If you are using Drupal 7.x, upgrade to Drupal 7.69 [4].
* If you are using Drupal 8.7.x, upgrade to Drupal 8.7.11 [5].
* If you are using Drupal 8.8.x, upgrade to Drupal 8.8.1 [6].

Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive
security coverage.

Reported By: 
* Jasper Mattsson [7]

Fixed By: 
* Lee Rowlands [8] of the Drupal Security Team
* Peter Wolanin [9] of the Drupal Security Team
* Sam Becker [10]
* Jasper Mattsson [11]
* David Rothstein [12] of the Drupal Security Team
* michieltcs [13]
* Ayesh Karunaratne [14]
* Alex Pott [15] of the Drupal Security Team
* Jess [16] of the Drupal Security Team
* Samuel Mortenson [17] of the Drupal Security Team
* Vijaya Chandran Mani [18]
* Drew Webber [19] of the Drupal Security Team

[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://pear.php.net/package/Archive_Tar/
[4] https://www.drupal.org/project/drupal/releases/7.69
[5] https://www.drupal.org/project/drupal/releases/8.7.11
[6] https://www.drupal.org/project/drupal/releases/8.8.1
[7] https://www.drupal.org/user/521118
[8] https://www.drupal.org/user/395439
[9] https://www.drupal.org/user/49851
[10] https://www.drupal.org/user/1485048
[11] https://www.drupal.org/user/521118
[12] https://www.drupal.org/user/124982
[13] https://www.drupal.org/user/3587972
[14] https://www.drupal.org/user/796148
[15] https://www.drupal.org/user/157725
[16] https://www.drupal.org/user/65776
[17] https://www.drupal.org/user/2582268
[18] https://www.drupal.org/user/93488
[19] https://www.drupal.org/user/255969

_______________________________________________
Security-news mailing list
Security-news@drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

View online: https://www.drupal.org/sa-core-2019-009

Project: Drupal core [1]
Version: 8.8.x-dev8.7.x-dev
Date: 2019-December-18
Security risk: *Moderately critical* 12∕25
AC:None/A:None/CI:None/II:None/E:Theoretical/TD:All [2]
Vulnerability: Denial of Service

Description: 
A visit to install.php can cause cached data to become corrupted. This could
cause a site to be impaired until caches are rebuilt.

Solution: 
Install the latest version:

* If you are using Drupal 8.7.x, upgrade to Drupal 8.7.11 [3].
* If you are using Drupal 8.8.x, upgrade to Drupal 8.8.1 [4].

Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive
security coverage.

To mitigate this issue in any version of Drupal 8, you can also block access
to install.php if it’s not required.

Reported By: 
* Drew Webber [5] of the Drupal Security Team

Fixed By: 
* Drew Webber [6] of the Drupal Security Team
* Lee Rowlands [7] of the Drupal Security Team
* Heine [8] of the Drupal Security Team
* Alex Pott [9] of the Drupal Security Team
* Jess [10] of the Drupal Security Team
* Damien McKenna [11] of the Drupal Security Team
* David Snopek [12] of the Drupal Security Team
* Nathaniel Catchpole [13] of the Drupal Security Team
* Greg Knaddison [14] of the Drupal Security Team

[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/8.7.11
[4] https://www.drupal.org/project/drupal/releases/8.8.1
[5] https://www.drupal.org/user/255969
[6] https://www.drupal.org/user/255969
[7] https://www.drupal.org/user/395439
[8] https://www.drupal.org/user/17943
[9] https://www.drupal.org/user/157725
[10] https://www.drupal.org/user/65776
[11] https://www.drupal.org/user/108450
[12] https://www.drupal.org/user/266527
[13] https://www.drupal.org/user/35733
[14] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news@drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

View online: https://www.drupal.org/sa-core-2019-011

Project: Drupal core [1]
Version: 8.8.x-dev8.7.x-dev
Date: 2019-December-18
Security risk: *Moderately critical* 10∕25
AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Description: 
The Media Library module has a security vulnerability whereby it doesn’t
sufficiently restrict access to media items in certain configurations.

Solution: 
* If you are using Drupal 8.7.x, you should upgrade to Drupal 8.7.11 [3].
* If you are using Drupal 8.8.x, you should upgrade to Drupal 8.8.1 [4].

Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive
security coverage.

Alternatively, you may mitigate this vulnerability by unchecking the “Enable
advanced UI” checkbox on /admin/config/media/media-library. (This mitigation
is not available in 8.7.x.)

Reported By: 
* Adam G-H [5]

Fixed By: 
* Adam G-H [6]
* Jess [7] of the Drupal Security Team
* Andrei Mateescu [8]
* Greg Knaddison [9] of the Drupal Security Team
* Alex Bronstein [10] of the Drupal Security Team
* Sean Blommaert [11]
* Lee Rowlands [12] of the Drupal Security Team

[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://security.drupal.org/project/drupal/releases/8.7.11
[4] https://security.drupal.org/project/drupal/releases/8.8.1
[5] https://www.drupal.org/user/205645
[6] https://www.drupal.org/user/205645
[7] https://www.drupal.org/user/65776
[8] https://www.drupal.org/user/729614
[9] https://www.drupal.org/user/36762
[10] https://www.drupal.org/user/78040
[11] https://www.drupal.org/user/545912
[12] https://www.drupal.org/user/395439

_______________________________________________
Security-news mailing list
Security-news@drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

View online: https://www.drupal.org/sa-core-2019-010

Project: Drupal core [1]
Version: 8.8.x-dev8.7.x-dev
Date: 2019-December-18
Security risk: *Moderately critical* 14∕25
AC:Basic/A:Admin/CI:Some/II:All/E:Theoretical/TD:Default [2]
Vulnerability: Multiple vulnerabilities

Description: 
Drupal 8 core’s file_save_upload() function does not strip the leading and
trailing dot (‘.’) from filenames, like Drupal 7 did.

Users with the ability to upload files with any extension in conjunction with
contributed modules may be able to use this to upload system files such as
.htaccess in order to bypass protections afforded by Drupal’s default
.htaccess file.

After this fix, file_save_upload() now trims leading and trailing dots from
filenames.

Solution: 
Install the latest version:

* If you use Drupal core 8.7.x: 8.7.11 [3]
* If you use Drupal core 8.8.x: 8.8.1 [4]

Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive
security coverage.

Reported By: 
* Rohit Kapur [5]
* Filipe Reis [6]
* Dan Reif [7]
* mramydnei [8]

Fixed By: 
* Lee Rowlands [9] of the Drupal Security Team
* Greg Knaddison [10] of the Drupal Security Team
* Michael Hess [11] of the Drupal Security Team
* Kim Pepper [12]
* Alex Pott [13] of the Drupal Security Team
* Derek Wright [14]
* Jess [15] of the Drupal Security Team
* David Rothstein [16] of the Drupal Security Team

[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/8.7.11
[4] https://www.drupal.org/project/drupal/releases/8.8.1
[5] https://www.drupal.org/user/3623849
[6] https://www.drupal.org/user/3521501
[7] https://www.drupal.org/user/454444
[8] https://www.drupal.org/user/3529990
[9] https://www.drupal.org/user/395439
[10] https://www.drupal.org/user/36762
[11] https://www.drupal.org/user/102818
[12] https://www.drupal.org/user/370574
[13] https://www.drupal.org/user/157725
[14] https://www.drupal.org/user/46549
[15] https://www.drupal.org/user/65776
[16] https://www.drupal.org/user/124982

_______________________________________________
Security-news mailing list
Security-news@drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news