Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them.
To mitigate this issue, prevent untrusted users from uploading .tar, .tar.gz, .bz2 or .tlz files.
This is a different issue than SA-CORE-2019-12, similar configuration changes may mitigate the problem until you are able to patch.
Install the latest version:
- If you are using Drupal 9.0, update to Drupal 9.0.9
- If you are using Drupal 8.9, update to Drupal 8.9.10
- If you are using Drupal 8.8 or earlier, update to Drupal 8.8.12
- If you are using Drupal 7, update to Drupal 7.75
Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.
According to the regular security release window schedule, November 25th would not typically be a core security window. However, this release is necessary because there are known exploits for one of core’s dependencies and some configurations of Drupal are vulnerable.