From security em unicamp.br  Wed Dec 18 17:28:32 2019
From: security em unicamp.br (CSIRT Unicamp)
Date: Wed, 18 Dec 2019 18:28:32 -0200
Subject: [SECURITY-L] Fwd: [Security-news] Drupal core - Moderately critical
 - Access bypass - SA-CORE-2019-011
In-Reply-To: <mailman.2745.1576699230.123064.security-news@drupal.org>
References: <mailman.2745.1576699230.123064.security-news@drupal.org>
Message-ID: <CAEsueBOM8ExCM5ZZhEVcGrfXT9mE5rWCimpCPEb=nNg3JHh2=w@mail.gmail.com>

View online: https://www.drupal.org/sa-core-2019-011

Project: Drupal core [1]
Version: 8.8.x-dev8.7.x-dev
Date: 2019-December-18
Security risk: *Moderately critical* 10?25
AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Description:
The Media Library module has a security vulnerability whereby it doesn't
sufficiently restrict access to media items in certain configurations.

Solution:
   * If you are using Drupal 8.7.x, you should upgrade to Drupal 8.7.11 [3].
   * If you are using Drupal 8.8.x, you should upgrade to Drupal 8.8.1 [4].

Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive
security coverage.

Alternatively, you may mitigate this vulnerability by unchecking the "Enable
advanced UI" checkbox on /admin/config/media/media-library. (This mitigation
is not available in 8.7.x.)

Reported By:
   * Adam G-H  [5]

Fixed By:
   * Adam G-H  [6]
   * Jess   [7] of the Drupal Security Team
   * Andrei Mateescu  [8]
   * Greg Knaddison  [9] of the Drupal Security Team
   * Alex Bronstein  [10] of the Drupal Security Team
   * Sean Blommaert  [11]
   * Lee Rowlands  [12] of the Drupal Security Team


[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://security.drupal.org/project/drupal/releases/8.7.11
[4] https://security.drupal.org/project/drupal/releases/8.8.1
[5] https://www.drupal.org/user/205645
[6] https://www.drupal.org/user/205645
[7] https://www.drupal.org/user/65776
[8] https://www.drupal.org/user/729614
[9] https://www.drupal.org/user/36762
[10] https://www.drupal.org/user/78040
[11] https://www.drupal.org/user/545912
[12] https://www.drupal.org/user/395439

_______________________________________________
Security-news mailing list
Security-news em drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.listas.unicamp.br/pipermail/security-l/attachments/20191218/ac4bc659/attachment.html>

From security em unicamp.br  Wed Dec 18 17:29:36 2019
From: security em unicamp.br (CSIRT Unicamp)
Date: Wed, 18 Dec 2019 18:29:36 -0200
Subject: [SECURITY-L] Fwd: [Security-news] Drupal core - Critical - Multiple
 vulnerabilities - SA-CORE-2019-012
In-Reply-To: <mailman.2746.1576699231.123064.security-news@drupal.org>
References: <mailman.2746.1576699231.123064.security-news@drupal.org>
Message-ID: <CAEsueBNfZeKnQB9ZYMKvjhUaJe8GJa3eHi=NGsP6EQ+jEr3K2Q@mail.gmail.com>

View online: https://www.drupal.org/sa-core-2019-012

Project: Drupal core [1]
Version: 8.8.x-dev8.7.x-dev7.x-dev
Date: 2019-December-18
Security risk: *Critical* 17?25
AC:Basic/A:User/CI:All/II:All/E:Proof/TD:Uncommon [2]
Vulnerability: Multiple vulnerabilities

Description:
The Drupal project uses the third-party library Archive_Tar [3], which has
released a security update that impacts some Drupal configurations.

Multiple vulnerabilities are possible if Drupal is configured to allow .tar,
.tar.gz, .bz2 or .tlz file uploads and processes them.

The latest versions of Drupal update Archive_Tar to 1.4.9 to mitigate the
file processing vulnerabilities.

Solution:
Install the latest version:

   * If you are using Drupal 7.x, upgrade to Drupal 7.69 [4].
   * If you are using Drupal 8.7.x, upgrade to Drupal 8.7.11 [5].
   * If you are using Drupal 8.8.x, upgrade to Drupal 8.8.1 [6].

Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive
security coverage.

Reported By:
   * Jasper Mattsson  [7]

Fixed By:
   * Lee Rowlands  [8] of the Drupal Security Team
   * Peter Wolanin  [9] of the Drupal Security Team
   * Sam Becker  [10]
   * Jasper Mattsson  [11]
   * David Rothstein  [12] of the Drupal Security Team
   * michieltcs  [13]
   * Ayesh Karunaratne  [14]
   * Alex Pott  [15] of the Drupal Security Team
   * Jess   [16] of the Drupal Security Team
   * Samuel Mortenson  [17] of the Drupal Security Team
   * Vijaya Chandran Mani  [18]
   * Drew Webber  [19] of the Drupal Security Team


[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://pear.php.net/package/Archive_Tar/
[4] https://www.drupal.org/project/drupal/releases/7.69
[5] https://www.drupal.org/project/drupal/releases/8.7.11
[6] https://www.drupal.org/project/drupal/releases/8.8.1
[7] https://www.drupal.org/user/521118
[8] https://www.drupal.org/user/395439
[9] https://www.drupal.org/user/49851
[10] https://www.drupal.org/user/1485048
[11] https://www.drupal.org/user/521118
[12] https://www.drupal.org/user/124982
[13] https://www.drupal.org/user/3587972
[14] https://www.drupal.org/user/796148
[15] https://www.drupal.org/user/157725
[16] https://www.drupal.org/user/65776
[17] https://www.drupal.org/user/2582268
[18] https://www.drupal.org/user/93488
[19] https://www.drupal.org/user/255969

_______________________________________________
Security-news mailing list
Security-news em drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.listas.unicamp.br/pipermail/security-l/attachments/20191218/ede585b3/attachment.html>