This security release fixes third-party dependencies included in or required by Drupal core. As described in TYPO3-PSA-2019-007: By-passing protection of Phar Stream Wrapper Interceptor:
In order to intercept file invocations like file_exists or stat on compromised Phar archives the base name has to be determined and checked before allowing to be handled by PHP Phar stream handling. […]
The current implementation is vulnerable to path traversal leading to scenarios where the Phar archive to be assessed is not the actual (compromised) file.
Install the latest version:
- If you are using Drupal 8.7, update to Drupal 8.7.1
- If you are using Drupal 8.6 or earlier, update to Drupal 8.6.16.
- If you are using Drupal 7, update to Drupal 7.67.
Versions of Drupal 8 prior to 8.6.x are end-of-life and do not receive security coverage.
Also see the Drupal core project page.
- Jess of the Drupal Security Team
- Michael Hess of the Drupal Security Team
- Oliver Hader
- David Snopek of the Drupal Security Team
- Alex Pott of the Drupal Security Team
- Daniel Le Gall
- Tim Plunkett