This security release includes two vulnerabilities separated into two different advisories:
- SA-CORE-2019-001: An update of the third-party PEAR Archive_Tar library that recently released a security update.
- SA-CORE-2019-002: A remote code execution vulnerability when performing file operations on an untrusted phar:// URI.
You can learn more about these vulnerabilities in the Drupal official announcements. It is suggested that you upgrade your Drupal application to Drupal 7.63 or later, and Drupal 8.6.7 or later. You can follow our documentation to learn how to upgrade your application to strengthen its security. We highly recommend creating a backup before performing the upgrade.
For new application deployments, including those made from the Bitnami Launchpad, we released Drupal 7.63 and 8.6.7 versions for containers, installers, virtual machines, cloud images, and Multi-Tier solutions. We also updated the Drupal based solutions (CiviCRM and OpenAtrium). These include all the necessary fixes to address the vulnerabilities listed above. If you deploy Bitnami any of those applications and it is not yet updated to the latest version, you will need to upgrade by following our documentation.
If you have further questions about this security issue, please post to our community forum, where we will be happy to help.