Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
https://github.com/pear/Archive_Tar/releases/tag/1.4.13 has been released.
This includes at least one security hardening:
https://github.com/pear/Archive_Tar/pull/34
D7 issue to cherry pick / copy paste this PR: #3195939: hardening of destructor in Archive_Tar
Steps to reproduce
n/a
Proposed resolution
Ensure that D8/9 update dependencies.
Remaining tasks
Update composer.json etc..
User interface changes
n/a
API changes
n/a
Data model changes
n/a
Release notes snippet
Archive_Tar has been updated to 1.4.13 for a security hardening.
Comment | File | Size | Author |
---|---|---|---|
#3 | archive_tar-3199205-3-8_9_x.patch | 2.33 KB | xjm |
#3 | archive_tar-3199205-3-9_0_x.patch | 2.32 KB | xjm |
#3 | archive_tar-3199205-3-9_1_x.patch | 1.93 KB | xjm |
#3 | archive_tar-3199205-3-9_2_x.patch | 1.93 KB | xjm |
Comments
Comment #2
xjmComment #3
xjmHere we go. Included a patch for 9.0.x in case we want to harden that as well.
Comment #4
xjmNote that I didn't increase the constraints, since this is an update for a hardening.
Comment #5
mcdruidLGTM, thanks!
Comment #6
alexpottCommitted 64e0464 and pushed to 9.2.x. Thanks!
Committed 0f50479 and pushed to 9.1.x. Thanks!
Committed 485d2a3 and pushed to 8.9.x. Thanks!
I skipped the 9.0.x patch because I think that that only gets security releases. So I'm unsure of when we'd release the fix if I committed it there.
Comment #10
xjmGiven that a release manager filed the issue, it's probably safe to assume that it's at least under consideration, no? We do patch releases on the security-covered branch at times when there is a critical or strategic reason for doing so, and I have reasons for exploring it here.
Comment #11
alexpottCommitted 0674479 and pushed to 9.0.x. Thanks!
@catch is in favour too along with #10 let's backport to 9.0.x too.
Comment #13
xjmComment #15
xjmFixing tags.
Comment #16
xjmWell actually this went out in 9.1.x already and just didn't get mentioned.