Patch/Configuration Management, Vulnerability Management

Drupal’s Archive Tar patches multiple crititical vulnerabilities

Drupal Core announced multiple critical vulnerabilities that impact some of its configurations for versions: 8.8.x-dev, 8.7.x-dev, and 7.x-dev.

The Drupal project uses the third-party library Archive_Tar, which released a security update - SA-CORE-2019-012, according to a Dec. 18 advisory.

Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them.

The latest versions of Drupal update Archive_Tar to 1.4.9 to mitigate the file processing vulnerabilities.

Drupal also advises users to install the latest versions:

In addition, updating to the Drupal 7.x core release will apply the fixes for all the below:

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.