Date: 
Wednesday, Jan 27th, 2021
Security risk: 
Critical
Advisory ID: 
BACKDROP-SA-CORE-2021-001
Vulnerability: 
Third Party Libraries
Versions affected: 
  • Backdrop Core 1.18.x versions prior to 1.18.1
  • Backdrop Core 1.17.x versions prior to 1.17.6

Backdrop versions 1.16 and prior do not receive security coverage.

Description: 

The Backdrop project uses the pear Archive_Tar library, which has released a security update that impacts Backdrop. For more information please see:

Exploits may be possible if Backdrop is configured to allow .tar.tar.gz.bz2, or .tlz file uploads and processes them, or if the Installer module is enabled.

Solution: 

Upgrade your site to the most recent version of Backdrop core. Download available on the Backdrop CMS 1.18.1 release page. See the update instructions, if needed.

Fixed By: 

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  • Log in to backdropcms.org
  • Edit your profile
  • Scroll down to the "Email notifications" section
  • Check the box labeled "Receive BackdropCMS.org security announcements for core and contrib projects"