====================================================================

                             CERT-Renater

                 Note d'Information No. 2019/VULN127

_____________________________________________________________________

DATE                : 09/05/2019

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): systems running Drupal core versions prior to
                                      8.7.1, 8.6.16, 7.67.

=====================================================================
https://www.drupal.org/sa-core-2019-007
_____________________________________________________________________

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2019-007


Project: Drupal core
Date: 2019-May-08
Security risk:
Moderately critical 14∕25
AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon
Vulnerability: Third-party libraries
CVE IDs: CVE-2019-11831


Description:

This security release fixes third-party dependencies included in or
required by Drupal core. As described in TYPO3-PSA-2019-007: By-passing
protection of Phar Stream Wrapper Interceptor:

    In order to intercept file invocations like file_exists or stat on
compromised Phar archives the base name has to be determined and checked
before allowing to be handled by PHP Phar stream handling. [...]

    The current implementation is vulnerable to path traversal leading
to scenarios where the Phar archive to be assessed is not the actual
(compromised) file.


Solution:

Install the latest version:

    If you are using Drupal 8.7, update to Drupal 8.7.1
    If you are using Drupal 8.6 or earlier, update to Drupal 8.6.16.
    If you are using Drupal 7, update to Drupal 7.67.

Versions of Drupal 8 prior to 8.6.x are end-of-life and do not receive
security coverage.

Also see the Drupal core project page.


Reported By:

    Daniel Le Gall

Fixed By:

    Jess of the Drupal Security Team
    Michael Hess of the Drupal Security Team
    Oliver Hader
    David Snopek of the Drupal Security Team
    Alex Pott of the Drupal Security Team
    Daniel Le Gall
    Tim Plunkett



=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================