==================================================================== CERT-Renater Note d'Information No. 2021/VULN038 _____________________________________________________________________ DATE : 21/01/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Drupal core versions prior to 9.1.3, 9.0.11, 8.9.13, 7.78. ===================================================================== https://www.drupal.org/sa-core-2021-001 _____________________________________________________________________ Drupal core - Critical - Third-party libraries - SA-CORE-2021-001 Project: Drupal core Date: 2021-January-20 Security risk: Critical 18∕25 AC:Complex/A:User/CI:All/II:All/E:Exploit/TD:Uncommon Vulnerability: Third-party libraries Description: The Drupal project uses the pear Archive_Tar library, which has released a security update that impacts Drupal. For more information please see: CVE-2020-36193 Exploits may be possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them. Solution: Install the latest version: If you are using Drupal 9.1, update to Drupal 9.1.3. If you are using Drupal 9.0, update to Drupal 9.0.11. If you are using Drupal 8.9, update to Drupal 8.9.13. If you are using Drupal 7, update to Drupal 7.78. Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage. Disable uploads of .tar, .tar.gz, .bz2, or .tlz files to mitigate the vulnerability. Reported By: Richard Sheppard Stephen Cross Jonathan Danaher Kim Pepper Fixed By: Lee Rowlands of the Drupal Security Team Drew Webber of the Drupal Security Team Greg Knaddison of the Drupal Security Team Vijay Mani Provisional Member of the Drupal Security Team Jess of the Drupal Security Team Michael Hess of the Drupal Security Team ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================