Patch/Configuration Management, Vulnerability Management

Drupal’s Archive Tar patches multiple crititical vulnerabilities

December 20, 2019

Drupal Core announced multiple critical vulnerabilities that impact some of its configurations for versions: 8.8.x-dev, 8.7.x-dev, and 7.x-dev.

The Drupal project uses the third-party library Archive_Tar, which released a security update - SA-CORE-2019-012, according to a Dec. 18 advisory.

Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them.

The latest versions of Drupal update Archive_Tar to 1.4.9 to mitigate the file processing vulnerabilities.

Drupal also advises users to install the latest versions:

If you are using Drupal 7.x, upgrade to Drupal 7.69.
If you are using Drupal 8.7.x, upgrade to Drupal 8.7.11.
If you are using Drupal 8.8.x, upgrade to Drupal 8.8.1.

In addition, updating to the Drupal 7.x core release will apply the fixes for all the below:

Larry Jaffee

Vulnerability Management

Apple patches TCC bypass vulnerability

SC StaffDecember 19, 2024

The vulnerability, tracked as CVE-2024-44131, was discovered in the FileProvider component and has been fixed in iOS 18, iPadOS 18, and macOS Sequoia 15 through improved validation of symbolic links.

concept of leaky software, data with a tap sticking out.3d illustration

Data Security

Misconfiguration exposes Virtavo security cam user data

SC StaffDecember 18, 2024

Over 8.7 million records, many of which are duplicates, were discovered within the server, including user phone numbers, network information, device identifiers, performance metrics, and other personal details, according to Cybernews researchers.