Date: 
Wednesday, Jan 20th, 2021
Advisory ID: 
BACKDROP-SA-CORE-2021-001
Security risk: 
Critical
Vulnerability: 
Third Party Libraries
CVE ID: 
CVE-2020-36193
Versions affected: 
  • Backdrop Core 1.18.x versions prior to 1.18.1
  • Backdrop Core 1.17.x versions prior to 1.17.6

Backdrop versions 1.16 and prior do not receive security coverage.

Description: 

There will be a security release of Backdrop 1.18.x, and 1.17.x on January 27th, 2021 between 19:00 - 23:00 UTC. Security release announcements will appear here, on the Backdrop security page. This release will not require a database update.

The PEAR Archive_Tar library included with Backdrop core released a security update earlier this month, CVE-2020-36193. The core update will patch the library to include this fix. This security release will correlate to Drupal security release SA-CORE-2021-001 issued on January 20th. 2021.

Because Backdrop issued its regularly scheduled minor release on January 15th, and based on the severity of these issues, the Backdrop Security Team has agreed to postpone this security release for one week.

 

Solution: 

Disable uploads of .tar.tar.gz.bz2, or .tlz files,and disable the Installer module to mitigate the vulnerability until the newest release is out.

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  1. Log in to backdropcms.org
  2. Edit your profile
  3. Switch to the "Subscriptions" tab
  4. Check the box labeled "Security updates"
  5. Save the form