Software Update: Drupal 7.67 / 8.6.16 / 8.7.1

Updates have been released for versions 7.6, 8.6, and 8.7 of Drupal, which address a vulnerability with third-party libraries. Drupal is a PHP-written, user-friendly and powerful content management platform, with which, for example, websites can be created. It’s simple enough for a novice user, but powerful enough to build a more complex website as well. The program includes a content management platform and a development framework. More information about the vulnerability can be found below:

security risk: Moderately critical 14-25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon

Vulnerability: Third-party libraries

Description: This security release fixes third-party dependencies included in or required by Drupal core. As described in TYPO3-PSA-2019-007: By-passing protection of Phar Stream Wrapper Interceptor:

In order to intercept file invocations like file_exists or stat on compromised Phar archives the base name has to be determined and checked before allowing to be handled by PHP Phar stream handling. […]

The current implementation is vulnerable to path traversal leading to scenarios where the Phar archive to be assessed is not the actual (compromised) file.

Solution: Install the latest version:

• If you are using Drupal 8.7, update to Drupal 8.7.1
• If you are using Drupal 8.6 or earlier, update to Drupal 8.6.16.
• If you are using Drupal 7, update to Drupal 7.67.

Versions of Drupal 8 prior to 8.6.x are end-of-life and do not receive security coverage.