There will be a security release of Backdrop 1.18.x, and 1.17.x on January 27th, 2021 between 19:00 - 23:00 UTC. Security release announcements will appear here, on the Backdrop security page. This release will not require a database update.
The PEAR Archive_Tar library included with Backdrop core released a security update earlier this month, CVE-2020-36193. The core update will patch the library to include this fix. This security release will correlate to Drupal security release SA-CORE-2021-001 issued on January 20th. 2021.
Because Backdrop issued its regularly scheduled minor release on January 15th, and based on the severity of these issues, the Backdrop Security Team has agreed to postpone this security release for one week.
- Backdrop Core 1.18.x versions prior to 1.18.1
- Backdrop Core 1.17.x versions prior to 1.17.6
Backdrop versions 1.16 and prior do not receive security coverage.