Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details.
- Jess of the Drupal Security Team
- Ayesh Karunaratne
- Lee Rowlands of the Drupal Security Team
- Alex Pott of the Drupal Security Team
Users are reporting seeing a fatal error when updating their sites with Drush. Site owners may be able to run
drush updb and either
drush cc all or
drush cr depending on the version to complete the update. Check the status report afterward to confirm that Drupal has been updated. See https://www.drupal.org/project/drupal/issues/3026386 for details.
Note: Going forward, Drupal core will issue individual security advisories for separate vulnerabilities included in the release, rather than lumping “multiple vulnerabilities” into a single advisory. All advisories released today:
Updating to the latest Drupal core release will apply the fixes for all the above advisories.