Drupal: Security update

drupal 9.0.0-beta2

5 days 23 hours ago
drupal-9.0.0-beta2.tar.gzRelease file SHA-1 hash: a78a8d99e2963f4fc90d0e9c8e867b9a08b1149aRelease file SHA-256 hash: aeefad0d1df318762b6e3842916d17c112b00c45a71e6b38c07c656714e3c27b8c45d8abb2a6f09326de40ae845a4435 drupal-9.0.0-beta2.zipRelease file SHA-1 hash: 1212d9d184753e7d04eefad0ef3c8c88a56ccd5dRelease file SHA-256 hash: e95f4b454a31cf7334674c706ccd9cf95bbcbf9f8974c3d3572ec1d17c3b25a733568e2d009a166c54ae862fda2a8823

This is a beta release for the next major version of Drupal. Drupal 9 beta releases are intended for site owners and module or theme authors to test compatibility and upgrade paths for Drupal 9.0. Beta releases are not intended for production.

This release fixes security vulnerabilities present in 9.0.0-beta1. Sites are urged to upgrade immediately after reading the security announcement and notes below:

Note that Drupal 8 is not affected by the Symfony vulnerabilities above.

Refer to How to prepare your Drupal 7 or 8 site for Drupal 9 for tools you can use to check the Drupal 9 compatibility of modules, themes, and sites. For more information on 9.0.x development, see #3007300: [META] Release Drupal 9 on June 3 2020.

The 9.0.x branch also includes all the latest commits that will be backported to 8.9.x and earlier branches. 9.0.x and 8.9.x have the same APIs and features. The key changes in 9.0.x are:

  1. Deprecated code will be removed.
  2. Dependencies will be updated to new major versions as appropriate.
  3. Platform requirements (supported PHP and database versions) will be increased.

For all other changes, refer to the 8.9.x branch.

Important update information Known issues

Search the issue queue for known issues.

All changes since 9.0.0-beta1 VCS Label: 9.0.0-beta2Release type: Security updateBug fixesShort description: Drupal 9 betas are for testing sites and projects with the upcoming Drupal 9.0 release. They are not for production.Packaged Git sha1: 772aa3faa0ec9da0b8627a4359044cfce6e1999f
xjm

svg_image 8.x-1.10

1 week 4 days ago

Svg Image - Critical - Cross site scripting - SA-CONTRIB-2020-008.

Fix XSS security issue.
The module did not sufficiently protect against malicious code inside SVG files leading to a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have permission to upload an SVG file.

svg_image-8.x-1.10.tar.gzRelease file SHA-1 hash: 4abe241b915d124bb21c4d50975d6542fea467a5Release file SHA-256 hash: 29b97d65f652bab7554c3eb409dae4afe2560a0b94b4fa6aee3837eb6f6706abefa1d8f50904ec4e001ccf6cd32d09cb svg_image-8.x-1.10.zipRelease file SHA-1 hash: 5c2f77370fee29b30316f08da3df0446c564832dRelease file SHA-256 hash: 0353b2a1e9f486f8bbfeb4f5c65425b8ba9224cc3661c1001c8782b0fae9f812838ea27a9e4bd5765bed12cb11848f5b VCS Label: 8.x-1.10Core compatibility: 8.xRelease type: Security updatePackaged Git sha1: e989303020484d553bb96f07abd7e8412057974c
zvse

drupal 8.8.4

2 weeks 4 days ago

Maintenance and security release of the Drupal 8 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

Which release do I choose? Security coverage information
  • Drupal 8.8.x will receive security coverage until December 2, 2020 when Drupal 9.1.0 is released.
  • Sites on 8.7.x or earlier should update immediately to Drupal 8.7.12 instead, and plan to update to the latest 8.8.x release before June 3, 2020 (when Drupal 8.9.0 is scheduled for release and 8.7.x security coverage ends).
  • Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.
Important update information

No changes have been made to the .htaccess, web.config, robots.txt or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

drupal-8.8.4.tar.gzRelease file SHA-256 hash: 2e466736aa9908c47bebfa48c0d2f4edaa88c87d3a2a3c4132efc24e3b6e66703d08163b296ed947c4337992d439094aRelease file SHA-1 hash: 25859eb57f57afe596fb826a947769ea713cf7797 drupal-8.8.4.zipRelease file SHA-256 hash: a65b6635a8b31d8c7023b7fcd08f7079d6216fcd3d8ffa3c7825caebd67de1c8adf81e4be166c58d6ca7c66a38fac6f6Release file SHA-1 hash: f0e707a7699f1209af9d56fc25d897e632f0a0452 VCS Label: 8.8.4Core compatibility: 8.xRelease type: Security updateShort description: Actively maintained with new features and backwards-compatible improvements every six months. Use this version for the best compatibility with future releases.Packaged Git sha1: b41facbb7853266788c489ad3c4f932dbdd18809
xjm

drupal 8.7.12

2 weeks 4 days ago

Maintenance and security release of the Drupal 8 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

Which release do I choose? Security coverage information
  • Sites on 8.7.x will receive security coverage until June 3, 2020 (when Drupal 8.9.0 is scheduled for release).
  • Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.
Important update information

No changes have been made to the .htaccess, web.config, robots.txt or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

drupal-8.7.12.tar.gzRelease file SHA-1 hash: 2acf8f1cfbba90da7f82809f6f5ffc26b78e43dcRelease file SHA-256 hash: 58a187d51032ef4436c978e60dc7913cd71f0238b44c6a262f6d5f526c36f4e93c267482febea33e28444075a2f23870 drupal-8.7.12.zipRelease file SHA-1 hash: a22a1997cf3274d2100a0bb3174f37609e8367f5Release file SHA-256 hash: 9971b75f752a398225f23eb911633e43a9b9c3bf99f9045dbf357e50fa32262b3366f975761f17ef65233da90574e71f VCS Label: 8.7.12Core compatibility: 8.xRelease type: Security updateShort description: Actively maintained with new features and backwards-compatible improvements every six months. Use this version for the best compatibility with future releases.Packaged Git sha1: 6b8876efb37dd2b57aa96d5cec66572a72550869
drumm

ckeditor 7.x-1.19

2 weeks 4 days ago

Security update.

Install the latest version:

Important note: If you use the CKEditor CDN, it is highly recommended to update the CKEditor JavaScript library to the newest version (at least 4.14.0).
To do so, edit the "CKEditor Global profile" settings in admin panel, at /admin/config/content/ckeditor/editg.

Current version can be found at https://cdn.ckeditor.com/.

Also see the CKEditor - WYSIWYG HTML editor project page.

Full changelist since 7.x-1.18:

ckeditor-7.x-1.19.tar.gzRelease file SHA-256 hash: 8dcb765d6f7353663041a333fe07b56e9007c1049458d26a4262c71a5bad72b3a2226a483aa22a8e299ebec1938ba634Release file SHA-1 hash: a0ea051b6170e62ef6c957b72da2368db0aed9772 ckeditor-7.x-1.19.zipRelease file SHA-1 hash: 0367a7d8a8016b8e9adbd47b15d65a71532d76e1Release file SHA-256 hash: 4757e423e9b2d645841660514d17bf0d4ae3205efe5a88ae7836c41610c8ff5d31737ff4a9847a904c8d767b1e1bb579 VCS Label: 7.x-1.19Core compatibility: 7.xRelease type: Security updateShort description: Security update.Packaged Git sha1: c227216696472aecf492ee67efbaf447b956c466
vokiel

saml_sp 8.x-3.7

3 weeks 4 days ago

SAML Service Provider - Critical - Access bypass - SA-CONTRIB-2020-006.

security issue: Visitors may create accounts without admin approval saml_sp-8.x-3.7.tar.gzRelease file SHA-1 hash: eaa157dd25c1ffb806268db53679c1f9d7497720Release file SHA-256 hash: c12b79adc0fd533677a1f78409510e6c6434f3870ac58ed3971ba9da03c022701fc3ad68abe6f5824d94e5ff141af738 saml_sp-8.x-3.7.zipRelease file SHA-1 hash: ad344eb15531c14b07108dc75091892769dd73c9Release file SHA-256 hash: cf58aebcd9c7e3e725f282e94dd7e22ad75b18efcbbe66bdacd3d521e9c87f09e6462a7940727ed1496cc3049f79e987 VCS Label: 8.x-3.7Core compatibility: 8.xRelease type: Security updatePackaged Git sha1: c96eeb4ffb845cb87389ba67dc3b7e8cc8a0c619
jrglasgow

svg_formatter 8.x-1.12

1 month ago

SVG Formatter - Critical - Cross site scripting - SA-CONTRIB-2020-005.

Bug fixes:

svg_formatter-8.x-1.12.tar.gzRelease file SHA-1 hash: 2dbd791c017a22818fe6ddaae60ecfcbd59cb48cRelease file SHA-256 hash: 717015bafe5b3acbdfff07a7160406c3ec37147e29c32adba20011cfc5ae78a619226a3120cf0867139500f02740c65b svg_formatter-8.x-1.12.zipRelease file SHA-1 hash: 8016e87eb09017b6767064ac2081f3da9bbfea36Release file SHA-256 hash: 8708ad48c4fc94db371edd051e16ad370aa9bc7196bbf7a81658227f3c6219e27eaca25ce8e57ad96f86639364005d45 VCS Label: 8.x-1.12Core compatibility: 8.xRelease type: Security updateShort description: Updates svg-sanitize version after SecurityAdvisories updates.Packaged Git sha1: b2acca06cf2e37bfba55d5ffa2153c6db3315af0
gnikolovski

profile 8.x-1.1

1 month 2 weeks ago

Contains fix for SA-CONTRIB-2020-004

Contributors (6)

flocondetoile, Martijn de Wit, Adam Clarey, bojanz, czigor, fisherman90

Changelog

Issues: 5 issues resolved.

Changes since 8.x-1.0:

Bug Feature Task profile-8.x-1.1.tar.gzRelease file SHA-1 hash: fc083eb8c1bac5107f2e4da5e110210d330634cdRelease file SHA-256 hash: c9f1ebdecb95b31624b355db7ed02589fd515cdb3c74c4618bed24cab4a50ecd4dad56ee42ae08cb1a16b7391c03584c profile-8.x-1.1.zipRelease file SHA-256 hash: bb667f64ae08885daf29803aef4a8b7f603ee653b4057d15b5082b811535b64cbd0df30122bd6d2d59b4989ec040f958Release file SHA-1 hash: b8f6aca4f432228e614dca0a50cb187e936e48252 VCS Label: 8.x-1.1Core compatibility: 8.xRelease type: Security updateBug fixesPackaged Git sha1: 1b477b0de4068b5c431b86a93f6b666dcbea7e9c
bojanz

tmgmt_morningside 7.x-1.2

1 month 3 weeks ago
  • Updated live URL for API.
tmgmt_morningside-7.x-1.2.tar.gzRelease file SHA-1 hash: 16e8a36435c611593068ae644fabb2ca6001e677Release file SHA-256 hash: fe2d72c089337d02e713dffcbf7a6504107c4ce345e4d16fbad855dd68bb4bcadbef3b0df7c56fb5b27f00284725ff73 tmgmt_morningside-7.x-1.2.zipRelease file SHA-1 hash: d894dd1ceddec9b483567d0ed6ac3584c6d6f9e4Release file SHA-256 hash: d15d987fdc68df94b7659695e0694dbe58f062ebb8318f9ca7a6371ccb8c027dfe18aa932d47e52d52e3f66259acb272 VCS Label: 7.x-1.2Core compatibility: 7.xRelease type: Security updateBug fixesPackaged Git sha1: ff92c90e7c4ba00038b2396a0e1e36fcaa4af9e5
gurubaskar

tmgmt_morningside 7.x-1.1

1 month 3 weeks ago
  • Fixed parview issues.
  • Updated README file.
tmgmt_morningside-7.x-1.1.tar.gzRelease file SHA-1 hash: 697dc0b38c64410aed449297fb333ef10a53e825Release file SHA-256 hash: de1cddcf20f4df5af07204934af18768c798d514611186b8e07510a32091b8620d6edfd1a0fe2059ede7f0173f22d5e7 tmgmt_morningside-7.x-1.1.zipRelease file SHA-1 hash: ea4bcf11592215f574070032f57bd278b39bf0b5Release file SHA-256 hash: c2d85f8b8a585a5cd3351501c301828b2f863392d0458836f837e07b0ade42a22e5cadf8d40c46a141d0a98612f7b7f8 VCS Label: 7.x-1.1Core compatibility: 7.xRelease type: Security updatePackaged Git sha1: b7b0efc6dcdaccab12e7f4b40d0330436bf17c60
gurubaskar

views_bulk_operations 8.x-2.6

2 months ago

Fixes possible access bypass when displaying actions selectable to users on the VBO Views forms.

See Views Bulk Operations (VBO) - Less critical - Acce - SA-CONTRIB-2020-003.

views_bulk_operations-8.x-2.6.tar.gzRelease file SHA-1 hash: 5e955efffc0b5767456ae4c411387b3be5bdd8a1Release file SHA-256 hash: d46fc5babbd13c1fd3245abf9913753508abd2814907241aff9f7bda0fcf443f3f8bd82f76429b22a5770a5acc094268 views_bulk_operations-8.x-2.6.zipRelease file SHA-1 hash: 517b671adb55c3ad023032607d360dab77db9f22Release file SHA-256 hash: 6e13f98de2d78eb3a18476bb290d2ba8f4c2fe22fe14fcb990b2df14aa1be4931e3b3e57900ec0f53379e2964ad32bd4 VCS Label: 8.x-2.6Core compatibility: 8.xRelease type: Security updatePackaged Git sha1: abb925d7605f9e4917e7ccbc3df7fdcc323b5fc2
Graber

views_bulk_operations 8.x-3.4

2 months ago

Fixes possible access bypass when displaying actions selectable to users on the VBO Views forms.

See Views Bulk Operations (VBO) - Less critical - Acce - SA-CONTRIB-2020-003.

views_bulk_operations-8.x-3.4.tar.gzRelease file SHA-1 hash: ab682b589709c3e8ad2eab1a08c8ff44ecc6694cRelease file SHA-256 hash: 116085fecfdc053899b1a416ffbfc1c54b3642c7635c2a9eb374a589a323d2c9df91cc828c6782d9d6fbafd7b85090a4 views_bulk_operations-8.x-3.4.zipRelease file SHA-1 hash: 549eb149f82fbf30e975155a14cd7a0d4653dfe9Release file SHA-256 hash: 05b9eb47feb6d5e15cfa0a13b8df46f3b6f5561bdcf9fabbabe0a831d4161f06e454aa895b306b4d1fe6bed223c36984 VCS Label: 8.x-3.4Core compatibility: 8.xRelease type: Security updatePackaged Git sha1: d380c50988332658fb77dbab8fc7ca1af1987c25
Graber

spamspan 8.x-1.1

2 months 2 weeks ago

This release resolves SA-CONTRIB-2020-002.

Changes since 8.x-1.0:

  • By JeroenT, vitalie: fixed xss vulnerability - the spamspan twig filter was unexpectedly by-passing auto-escaping
spamspan-8.x-1.1.tar.gzRelease file SHA-1 hash: 9ec62d32a5400fedd80db71ef54a01968c59eef5Release file SHA-256 hash: 3c239ca4152a10732eeafe2973ecdd8c30d1c5be0422a24e19cfcb2f794710a2f4cef9bf2379861b63e3dfbcb077d435 spamspan-8.x-1.1.zipRelease file SHA-1 hash: 2197256c5b7fb0a7f11c24465b49c1a2e2314c05Release file SHA-256 hash: cdc38c6479f86d75da819b05b19d84dadae2d57743b0fb8a58a203093274ec6838bc532e1cf32e4047f105bf1b664769 VCS Label: 8.x-1.1Core compatibility: 8.xRelease type: Security updatePackaged Git sha1: 2fb7c5428dbaf0f4e4ba4ad6c08816ec8052cec0
vitalie

radix 7.x-3.8

2 months 3 weeks ago

Fixes Radix - Moderately critical - Cross site scripting - SA-CONTRIB-2020-001

Changes since 7.x-3.7:

radix-7.x-3.8.tar.gzRelease file SHA-1 hash: 1a6fe0370134ad123223b8c44de396dd749d318aRelease file SHA-256 hash: 0d532dbccaac9858ae79603d78e1a460595d2f119e1dbcfe4671acd7ae296c3126a16455f6b0c872c638b16d43c079d0 radix-7.x-3.8.zipRelease file SHA-1 hash: dfe34b30eab6d317ed7d67f0eed6d618ec6925a5Release file SHA-256 hash: e980cbead993b658949e589005527166fa58cd4bf2d3af1bde74e2c3c8f5cf872667527fd1d5c15f53e69b99a5f55518 VCS Label: 7.x-3.8Core compatibility: 7.xRelease type: Security updateBug fixesPackaged Git sha1: eeb01a65ad1fb519af56ca13b5eac623cabaf9fe
dsnopek

drupal 8.8.1

3 months 2 weeks ago

Maintenance and security release of the Drupal 8 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

Important update information
  • The pear/archive_tar project has been updated from version 1.4.6 (Drupal 8.7) and 1.4.8 (Drupal 8.8) to version 1.4.9 in order to mitigate URL HERE.
  • No changes have been made to the .htaccess, web.config, robots.txt or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

The packaged tar and zip files that were available from 2019-12-18 20:53:00 UTC until 2019-12-18 21:13:00 UTC were erroneously published with drupal 8.8.0 packaged inside. If you downloaded a tarball during that window, you should re-download it and upgrade again using the new tarball.

drupal-8.8.1.tar.gzRelease file SHA-256 hash: f03eddb7dddbb7d9a7bef4ab1c1e1cabecd4c4b312e278a7e9646006349dbfa40e0af2652e6ad4da27c0f7bf35c5e1e1Release file SHA-1 hash: 9630ecbb88560f6a65d3e100e945cca3a9ae762419 drupal-8.8.1.zipRelease file SHA-1 hash: 88c1d7b435c7e52e4a4fe6d2e962ff7a6aa01579Release file SHA-256 hash: fe9240f4b329d9b0d8ee72ead4729a98f571c256cbd3bb71721a85391102f37082a7497cd6607c2d2c26e542a8b1e994 VCS Label: 8.8.1Core compatibility: 8.xRelease type: Security updateInsecureShort description: Actively maintained with new features and backwards-compatible improvements every six months. Use this version for the best compatibility with future releases.Packaged Git sha1: db022d572ec50469c113a9ea33abe95ba35bc48a
mlhess

drupal 8.7.11

3 months 2 weeks ago

Maintenance and security release of the Drupal 8 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.

Important update information
  • The pear/archive_tar project has been updated from version 1.4.6 (Drupal 8.7) and 1.4.8 (Drupal 8.8) to version 1.4.9 in order to mitigate Drupal core - Critical - Multiple vulnerabilities - SA-CORE-2019-012

  • No changes have been made to the .htaccess, web.config, robots.txt or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

drupal-8.7.11.tar.gzRelease file SHA-1 hash: 44e4e6d045c3e7577b3d2b125efd64cde2c89b71Release file SHA-256 hash: 483eb27b499eb1eb8ed48b66c37d342a27f464f3ba46f46dff6867d2dfc3690bbcf01576c060dfb7de0ec1f7125f7bbe drupal-8.7.11.zipRelease file SHA-1 hash: 7626142eb86b87f13e0f7c3fc4e97e6a651dbadeRelease file SHA-256 hash: 6f813dcf32d6693455ded07d81b8299b9cb570dd04a0d36b41b33c28d4f3ebfd776e1e47c53d2bda7679f74fb2dc2ca3 VCS Label: 8.7.11Core compatibility: 8.xRelease type: Security updateInsecureInsecureShort description: Actively maintained with new features and backwards-compatible improvements every six months. Use this version for the best compatibility with future releases.Packaged Git sha1: a9f11fbd8dc67b651668061e98e23d6503da400d
mlhess

drupal 7.69

3 months 2 weeks ago

Maintenance and security release of the Drupal 7 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

Important update information

No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary.

drupal-7.69.tar.gzRelease file SHA-256 hash: 9c60ea7b3ab3bedf11b823e67ae592c611cbf802b1467a1ff8140742565c7e0f292290a2fb1f5fc919291dc3949cdf7cRelease file SHA-1 hash: 4dd916f18e2b17b8d4e2199dfbbf112befd299a840 drupal-7.69.zipRelease file SHA-256 hash: bc5c0d6d41ee8387e07e8ef56a49063d8990e04c8b77d59a18252ff987dccbc4a2061232aac4f9108cf366a7348ad8aaRelease file SHA-1 hash: 424bbf205fc6f8b28b348d42206b395fca26724f241 VCS Label: 7.69Core compatibility: 7.xRelease type: Security updateShort description: Supported until November 2021. Use this version for sites already running Drupal 7.Packaged Git sha1: 2e3449d8b8d15476b6c32f6e8771aad43fc5ca69
mlhess
Checked
1 hour 35 minutes ago
Subscribe to Drupal: Security update feed