-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4711
          Drupal project addresses four critical vulnerabilities
                             19 December 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Drupal
Publisher:         Drupal
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Denial of Service         -- Remote/Unauthenticated
                   Overwrite Arbitrary Files -- Existing Account      
                   Unauthorised Access       -- Existing Account      
                   Reduced Security          -- Existing Account      
Resolution:        Patch/Upgrade

Original Bulletin: 
   https://www.drupal.org/sa-core-2019-009
   https://www.drupal.org/sa-core-2019-010
   https://www.drupal.org/sa-core-2019-011
   https://www.drupal.org/sa-core-2019-012

- --------------------------BEGIN INCLUDED TEXT--------------------

Drupal core - Moderately critical - Denial of Service - SA-CORE-2019-009

Project:       Drupal core
Date:          2019-December-18
Security risk: Moderately critical
               AC:None/A:None/CI:None/II:None/E:Theoretical/TD:All

Vulnerability: Denial of Service
Version: 8.8.x-dev 8.7.x-dev
Description:

A visit to install.php can cause cached data to become corrupted. This could
cause a site to be impaired until caches are rebuilt.

Solution:

Install the latest version:

  o If you are using Drupal 8.7.x, upgrade to Drupal 8.7.11 .
  o If you are using Drupal 8.8.x, upgrade to Drupal 8.8.1 .

Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security
coverage.

To mitigate this issue in any version of Drupal 8, you can also block access to
install.php if it's not required.

Reported By:

  o Drew Webber of the Drupal Security Team

Fixed By:

  o Drew Webber of the Drupal Security Team
  o Lee Rowlands of the Drupal Security Team
  o Heine of the Drupal Security Team
  o Alex Pott of the Drupal Security Team
  o Jess of the Drupal Security Team
  o Damien McKenna of the Drupal Security Team
  o David Snopek of the Drupal Security Team
  o Nathaniel Catchpole of the Drupal Security Team
  o Greg Knaddison of the Drupal Security Team

- --------------------------------------------------------------------------------

Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2019-010

Project:       Drupal core
Date:          2019-December-18
Security risk: Moderately critical
               AC:Basic/A:Admin/CI:Some/II:All/E:Theoretical/TD:Default

Vulnerability: Multiple vulnerabilities
Version: 8.8.x-dev 8.7.x-dev
Description:

Drupal 8 core's file_save_upload() function does not strip the leading and
trailing dot ('.') from filenames, like Drupal 7 did.

Users with the ability to upload files with any extension in conjunction with
contributed modules may be able to use this to upload system files such as
.htaccess in order to bypass protections afforded by Drupal's default .htaccess
file.

After this fix, file_save_upload() now trims leading and trailing dots from
filenames.

Solution:

Install the latest version:

  o If you use Drupal core 8.7.x: 8.7.11
  o If you use Drupal core 8.8.x: 8.8.1

Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security
coverage.

Reported By:

  o Rohit Kapur
  o Filipe Reis
  o Dan Reif
  o mramydnei

Fixed By:

  o Lee Rowlands of the Drupal Security Team
  o Greg Knaddison of the Drupal Security Team
  o Michael Hess of the Drupal Security Team
  o Kim Pepper
  o Alex Pott of the Drupal Security Team
  o Derek Wright
  o Jess of the Drupal Security Team
  o David Rothstein of the Drupal Security Team


- --------------------------------------------------------------------------------

Drupal core - Moderately critical - Access bypass - SA-CORE-2019-011

Project:       Drupal core

Date:          2019-December-18

Security risk: Moderately critical
               AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default

Vulnerability: Access bypass
Version: 8.8.x-dev 8.7.x-dev
Description:

The Media Library module has a security vulnerability whereby it doesn't
sufficiently restrict access to media items in certain configurations.

Solution:

  o If you are using Drupal 8.7.x, you should upgrade to Drupal 8.7.11 .
  o If you are using Drupal 8.8.x, you should upgrade to Drupal 8.8.1 .

Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security
coverage.

Alternatively, you may mitigate this vulnerability by unchecking the "Enable
advanced UI" checkbox on /admin/config/media/media-library . (This mitigation
is not available in 8.7.x.)

Reported By:

  o Adam G-H

Fixed By:

  o Adam G-H
  o Jess of the Drupal Security Team
  o Andrei Mateescu
  o Greg Knaddison of the Drupal Security Team
  o Alex Bronstein of the Drupal Security Team
  o Sean Blommaert
  o Lee Rowlands of the Drupal Security Team

- --------------------------------------------------------------------------------

Drupal core - Critical - Multiple vulnerabilities - SA-CORE-2019-012
Project:       Drupal core
Date:          2019-December-18

Security risk: Critical
AC:Basic/A:User/CI:All/II:All/E:Proof/TD:Uncommon

Vulnerability: Multiple vulnerabilities
Version: 8.8.x-dev 8.7.x-dev 7.x-dev
Description:

The Drupal project uses the third-party library Archive_Tar , which has
released a security update that impacts some Drupal configurations.

Multiple vulnerabilities are possible if Drupal is configured to allow .tar ,
.tar.gz , .bz2 or .tlz file uploads and processes them.

The latest versions of Drupal update Archive_Tar to 1.4.9 to mitigate the file
processing vulnerabilities.

Solution:

Install the latest version:

  o If you are using Drupal 7.x, upgrade to Drupal 7.69 .
  o If you are using Drupal 8.7.x, upgrade to Drupal 8.7.11 .
  o If you are using Drupal 8.8.x, upgrade to Drupal 8.8.1 .

Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security
coverage.

Reported By:

  o Jasper Mattsson

Fixed By:

  o Lee Rowlands of the Drupal Security Team
  o Peter Wolanin of the Drupal Security Team
  o Sam Becker
  o Jasper Mattsson
  o David Rothstein of the Drupal Security Team
  o michieltcs
  o Ayesh Karunaratne
  o Alex Pott of the Drupal Security Team
  o Jess of the Drupal Security Team
  o Samuel Mortenson of the Drupal Security Team
  o Vijaya Chandran Mani Provisional Security Team Member
  o Drew Webber of the Drupal Security Team

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXfrT6GaOgq3Tt24GAQhIhg//ZPlYgNbhmEPmkHLuKr/VgnoMtLIR8ACP
lsyb8HIIyyf+Mk3THEZ7PK/67VQtL+0PsRMYL50Mjkg1qWTycWdoaQ3SUyaCH7lV
Q+VCkXm+BskBSyiTwyvTUZ5tFzyCzKAs+MneI4smqb7Q776WgHIDf18+qQgNV7ag
V1+Q/6RBPul7Rs7j/uJ+n+2Of2yHvbPmqmQUdXUfFoXq0REoKBQnoGsFIEif4t+G
MDaxBZB8seYfi7KVjP4VtVpRksuuk+aFeoMY3A3wneiVoZJnLXwd6f2yqULsmnmu
1Pkyn7XaiMSHnVZlfahbiJ526V986wcC+Co6DQw/kh+u5XT/QO3BCNU4+YFtggGa
ItvCQ9y8o2IRo/F/TjJMJj8rncxFL4OzDs5Wwz5HgQDSqCKBMM/wGmS46Daeals5
7ySVge+R2wIcI2TjJuZhBIXeSjQKAKn7yfGPd9WTk7x5Wr049pNWFMIBQjWaE7+c
Quh+UaJ0WGjSsfaYuuoygLXiv0QcZnKBirw8cz8i6/JjtzXJ360Wuu+uyp5OmQcu
BbAqGKIHaApFrcJ2DS/hMqR362X5bv4lAkbPramgJt4hz3i8IlKbPg2hh5kjwC01
0hFtHDalUJGIFgMAsLzr3bL+kjE9q4gQywziz62uyDCtfc9bjb4zImAb0/AljtpB
6brjr/mvQ10=
=36XR
-----END PGP SIGNATURE-----