Project:
Date:
2019-January-16
Vulnerability:
Third Party Libraries
Description:
Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details.
Solution:
- If you are using Drupal 8.6.x, upgrade to Drupal 8.6.6.
- If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.9.
- If you are using Drupal 7.x, upgrade to Drupal 7.62.
Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.
Reported By:
Fixed By:
- Jess of the Drupal Security Team
- Ayesh Karunaratne
- michieltcs
- Lee Rowlands of the Drupal Security Team
- Alex Pott of the Drupal Security Team
Additional information
Note: Going forward, Drupal core will issue individual security advisories for separate vulnerabilities included in the release, rather than lumping “multiple vulnerabilities” into a single advisory. All advisories released today:
Updating to the latest Drupal core release will apply the fixes for all the above advisories.