Software update: Drupal 7.75 / 8.8.12 / 8.9.10 / 9.0.9

Updates have been released for Drupal versions 7.7, 8.8, 8.9 and 9.0. Drupal is a user-friendly and powerful content management platform written in PHP, which can be used to create websites, for example. It’s simple enough for a novice user, but powerful enough to build a more complex website as well. The program includes a content management platform and a development framework. The updates contain a fix for the following security issue:

Drupal core – Critical – Arbitrary PHP code execution – SA-CORE-2020-013Project: Drupal core
Security risk: Critical 18∕25 AC: Complex / A: User / CI: All / II: All / E: Exploit / TD: Uncommon
Vulnerability: Arbitrary PHP code execution
Description: The Drupal project uses the PEAR Archive_Tar library . The PEAR Archive_Tar library has released a security update that impacts Drupal. For more information please see:

  • CVE-2020-28948
  • CVE-2020-28949

Multiple vulnerabilities are possible if Drupal is configured to allow .tar.tar.gz.bz2, or .tlzfile uploads and processes them. To Mitigate this issue, preventable untrusted users from uploading .tar.tar.gz.bz2, or .tlzfiles. This is a different issue than SA-CORE-2019-012 . Similar configuration changes may mitigate the problem until you are able to patch.

Solution: Install the latest version:

  • If you are using Drupal 9.0, update to Drupal 9.0.9
  • If you are using Drupal 8.9, update to Drupal 8.9.10
  • If you are using Drupal 8.8 or earlier, update to Drupal 8.8.12
  • If you are using Drupal 7, update to Drupal 7.75

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.

Version number 7.75 / 8.8.12 / 8.9.10 / 9.0.9
Release status Final
Operating systems Script language
Website Drupal
License type GPL