CVE-2020-13671 (https://nvd.nist.gov/vuln/detail/CVE-2020-13671): Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.
If you are using Drupal 9.0, update to Drupal 9.0.8 If you are using Drupal 8.9, update to Drupal 8.9.9 If you are using Drupal 8.8 or earlier, update to Drupal 8.8.11 If you are using Drupal 7, update to Drupal 7.74 Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c5a297d26056143660d1db9df545127d2056cbf1 commit c5a297d26056143660d1db9df545127d2056cbf1 Author: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> AuthorDate: 2020-11-19 19:15:34 +0000 Commit: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> CommitDate: 2020-11-19 19:15:34 +0000 www-apps/drupal: Security bump (CVE-2020-13671). Add 7.74, 8.8.11, 8.9.9 and 9.0.8 releases. Security issue: SA-CORE-2020-012 https://www.drupal.org/sa-core-2020-012 Bug: https://bugs.gentoo.org/755602 Package-Manager: Portage-3.0.6, Repoman-3.0.1 Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> www-apps/drupal/Manifest | 4 +++ www-apps/drupal/drupal-7.74.ebuild | 58 ++++++++++++++++++++++++++++++ www-apps/drupal/drupal-8.8.11.ebuild | 68 ++++++++++++++++++++++++++++++++++++ www-apps/drupal/drupal-8.9.9.ebuild | 68 ++++++++++++++++++++++++++++++++++++ www-apps/drupal/drupal-9.0.8.ebuild | 68 ++++++++++++++++++++++++++++++++++++ 5 files changed, 266 insertions(+)
Repository is clean, all done!
