Security News > 2020 > November > Drupal Releases Out-of-Band Security Updates Due to Availability of Exploits
The developers of the Drupal content management system released out-of-band security updates right before Thanksgiving due to the availability of exploits.
The core updates released for Drupal 7, 8.8, 8.9 and 9.0 on November 25 address a couple of vulnerabilities affecting PEAR Archive Tar, a third-party library designed for handling.
The researcher who reported the vulnerabilities to PEAR developers also made public proof-of-concept exploits so Drupal decided to roll out the patches to its users as soon as possible.
"According to the regular security release window schedule, November 25th would not typically be a core security window. However, this release is necessary because there are known exploits for one of core's dependencies and some configurations of Drupal are vulnerable," Drupal noted in its advisory.
The latest updates have been assigned a "Critical" severity rating, but it's worth mentioning that Drupal uses the NIST Common Misuse Scoring System, which assigns vulnerabilities a score ranging between 0 and 25, with "Critical" being only the second highest rating, after "Highly critical."