Problem/Motivation

pear/Archive_Tar https://github.com/pear/Archive_Tar/releases/tag/1.4.12 has been released.

Also please see https://nvd.nist.gov/vuln/detail/CVE-2020-36193

Proposed resolution

Upgrade pear/archive_tar on 8.9.x branch from 1.4.11 to 1.4.12 in composer/Metapackage/CoreRecommended/composer.json
Determine if other branches need updates

Comments

rjg created an issue. See original summary.

rjg’s picture

rjg CreditAttribution: rjg commented

Note that this CVE is causing SensioLabs security checker to fail:

Symfony Security Check Report
=============================

1 packages have known vulnerabilities.

pear/archive_tar (1.4.11)
-------------------------

 * [CVE-2020-36193][]: Allows write operations with Directory Traversal due to inadequate checking of symbolic links

[CVE-2020-36193]: https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916

Note that this checker can only detect vulnerabilities that are referenced in the SensioLabs security advisories database.
Execute this command regularly to check the newly discovered vulnerabilities.
santhosh.fernando’s picture

santhosh.fernando CreditAttribution: santhosh.fernando as a volunteer commented

Agree #2 . I think we need to have a release soon based on this.

webadpro’s picture

webadpro CreditAttribution: webadpro commented

Me and my Co-worker ran into this issue also. Although on 9.1.x

cilefen’s picture

cilefen CreditAttribution: cilefen as a volunteer commented
Status: Active » Closed (outdated)

https://www.drupal.org/sa-core-2021-001