Drupal security updates 7.82, 8.9.17, 9.1.11, and 9.2.2 released with Archive_Tar library updates

Published On2021-07-21

Drupal SA-CORE-2021-004

Drupal, a popular Content Management Software written in PHP, has released security updates that prevents a symlink path traversal vulnerability in one of its bundled dependencies.

Drupal depends on Archive_Tar PHP library to decompress Tar files. Drupal uses Tar-compressed files when it downloads module/theme updates, and allows site administrators to upload modules and themes from the Drupal administration panel.

The upstream Archive_Tar library released a security release 1.4.14, which fixes a symlink path traversal vulnerability. Because Drupal bundles Archive_Tar library, Drupal also released a series of new security releases for all its supports branches containing the updated Archive_Tar library.

Released Security Fixes

Following Drupal versions contain fixes for the vulnerability:

All other version series, such as Drupal 8.x series prior to 8.9 are not covered under Drupal security coverage, and will not receive updates.

All Drupal 7.x, 8.x, and 9.x sites are strongly suggested to update to the latest Drupal version.

Mitigation Factors

The symlink path traversal vulnerability is not exploitable from the way Drupal core uses the Archive_Tar library. However, a maliciously created .tar.gz, .tar, etc. file could exploit the vulnerability if it was uploaded to a Drupal form that extracts such files using the Archive_Tar library.

In other news on PHP.Watch

All NewsFeed
Ubuntu 21.10 — Impish Indri — to be released with PHP 8.0

Ubuntu 21.10 — Impish Indri — to be released with PHP 8.0

Ubuntu 21.10 — Impish Indri — to be released on Oct 14, will contain PHP 8.0 in its default software repositories.
Composer 2.1.9 and 1.12.23 released with security and bug fixes

Composer 2.1.9 and 1.12.23 released with security and bug fixes

Composer 2.1.9 and 1.12.23 versions are released with a security fix for Windows command-injection vulnerability and bug fixes.
PHP 7.3.31, 7.4.24, and 8.0.11 Released with Bug and Security Fixes

PHP 7.3.31, 7.4.24, and 8.0.11 Released with Bug and Security Fixes

PHP versions 7.3.31, 7.4.24, and 8.0.11 are released with several bug fixes and a security fix.
Subscribe to PHP.Watch newsletter for monthly updates

You will receive an email on last Wednesday of every month and on major PHP releases with new articles related to PHP, upcoming changes, new features and what's changing in the language. No marketing emails, no selling of your contacts, no click-tracking, and one-click instant unsubscribe from any email you receive.