Hírolvasó

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2019-007

Biztonsági figyelmeztetések (core) - 2019. május 8. 18.56
Project: Drupal coreDate: 2019-May-08Security risk: Moderately critical 14∕25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Third-party librariesDescription: 

This security release fixes third-party dependencies included in or required by Drupal core. As described in TYPO3-PSA-2019-007: By-passing protection of Phar Stream Wrapper Interceptor:

In order to intercept file invocations like file_exists or stat on compromised Phar archives the base name has to be determined and checked before allowing to be handled by PHP Phar stream handling. [...]

The current implementation is vulnerable to path traversal leading to scenarios where the Phar archive to be assessed is not the actual (compromised) file.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.6.x are end-of-life and do not receive security coverage.

Also see the Drupal core project page.

Reported By: Fixed By: