The Drupal project uses the third-party library Archive_Tar, which has released a security update that impacts some Drupal configurations.
Multiple vulnerabilities are possible if Drupal is configured to allow
.tlz file uploads and processes them.
The latest versions of Drupal update
Archive_Tar to 1.4.9 to mitigate the file processing vulnerabilities.
Install the latest version:
- If you are using Drupal 7.x, upgrade to Drupal 7.69.
- If you are using Drupal 8.7.x, upgrade to Drupal 8.7.11.
- If you are using Drupal 8.8.x, upgrade to Drupal 8.8.1.
Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.
- Lee Rowlands of the Drupal Security Team
- Peter Wolanin of the Drupal Security Team
- Sam Becker
- Jasper Mattsson
- David Rothstein of the Drupal Security Team
- Ayesh Karunaratne
- Alex Pott of the Drupal Security Team
- Jess of the Drupal Security Team
- Samuel Mortenson of the Drupal Security Team
- Vijaya Chandran Mani Provisional Security Team Member
- Drew Webber of the Drupal Security Team