Control: retitle -1 drupal7: Insecure deserialization on bundled third-party library "Phar Stream Wrapper" (SA-CORE-2019-007) (CVE-2019-11831)
On Wed, May 08, 2019 at 04:13:30PM -0500, Gunnar Wolf wrote: > Package: drupal7 > Version: 7.52-2+deb9u8 > Severity: grave > Tags: security upstream > Justification: user security hole > > Drupal security advisory SA-CORE-2019-007 was issued today: > > https://www.drupal.org/SA-CORE-2019-007 > > It refers to the following advisory in a bundled third-party library: > > https://typo3.org/security/advisory/typo3-psa-2019-007/ > > It refers to an incorrectly verified deserialization issue that can > lead at least to insecure deserialization issues. > > No CVE has yet been issued, TTBOMK. CVE-2019-11831 is used by the Drupal advisory now, but not the related CVE-2019-11830. Regards, Salvatore
