Bug#928688: drupal7: Insecure deserialization on bundled third-party library "Phar Stream Wrapper" (SA-CORE-2019-007)

Gunnar Wolf Wed, 08 May 2019 14:15:41 -0700

Package: drupal7
Version: 7.52-2+deb9u8
Severity: grave
Tags: security upstream
Justification: user security hole


Drupal security advisory SA-CORE-2019-007 was issued today:

    https://www.drupal.org/SA-CORE-2019-007

It refers to the following advisory in a bundled third-party library:

    https://typo3.org/security/advisory/typo3-psa-2019-007/

It refers to an incorrectly verified deserialization issue that can
lead at least to insecure deserialization issues.

No CVE has yet been issued, TTBOMK.

-- System Information:
Debian Release: 10.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.18.0-1-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#928688: drupal7: Insecure deserialization on bundled third-party library "Phar Stream Wrapper" (SA-CORE-2019-007)

Reply via email to