Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details.
- Jess of the Drupal Security Team
- Ayesh Karunaratne
- Lee Rowlands of the Drupal Security Team
- Alex Pott of the Drupal Security Team
Note: Going forward, Drupal core will issue individual security advisories for separate vulnerabilities included in the release, rather than lumping “multiple vulnerabilities” into a single advisory. All advisories released today:
Updating to the latest Drupal core release will apply the fixes for all the above advisories.