Drupal security updates 7.82, 8.9.17, 9.1.11, and 9.2.2 released with
Archive_Tar library updates
Drupal, a popular Content Management Software written in PHP, has released security updates that prevents a symlink path traversal vulnerability in one of its bundled dependencies.
Drupal depends on Archive_Tar PHP library to decompress Tar files. Drupal uses Tar-compressed files when it downloads module/theme updates, and allows site administrators to upload modules and themes from the Drupal administration panel.
Archive_Tar library released a security release 1.4.14, which fixes a symlink path traversal vulnerability. Because Drupal bundles
Archive_Tar library, Drupal also released a series of new security releases for all its supports branches containing the updated
- Security advisory for
- Security announcement for Drupal: SA-CORE-2021-004
Released Security Fixes
Following Drupal versions contain fixes for the vulnerability:
- Drupal 7.x series: Drupal 7.82
- Drupal 8.9 series: Drupal 8.9.17
- Drupal 9.1 series: Drupal 9.1.11
- Drupal 9.2 series: Drupal 9.2.2
All other version series, such as Drupal 8.x series prior to 8.9 are not covered under Drupal security coverage, and will not receive updates.
All Drupal 7.x, 8.x, and 9.x sites are strongly suggested to update to the latest Drupal version.
The symlink path traversal vulnerability is not exploitable from the way Drupal core uses the
Archive_Tar library. However, a maliciously created
.tar, etc. file could exploit the vulnerability if it was uploaded to a Drupal form that extracts such files using the