Debian Bug report logs -
#928688
drupal7: Insecure deserialization on bundled third-party library "Phar Stream Wrapper" (SA-CORE-2019-007) (CVE-2019-11831)
Reported by: Gunnar Wolf <gwolf@gwolf.org>
Date: Wed, 8 May 2019 21:15:02 UTC
Severity: grave
Tags: security, upstream
Found in version drupal7/7.52-2+deb9u8
Fixed in version drupal7/7.52-2+deb9u9
Done: Gunnar Wolf <gwolf@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Gunnar Wolf <gwolf@debian.org>:
Bug#928688; Package drupal7.
(Wed, 08 May 2019 21:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Gunnar Wolf <gwolf@gwolf.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Gunnar Wolf <gwolf@debian.org>.
(Wed, 08 May 2019 21:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: drupal7
Version: 7.52-2+deb9u8
Severity: grave
Tags: security upstream
Justification: user security hole
Drupal security advisory SA-CORE-2019-007 was issued today:
https://www.drupal.org/SA-CORE-2019-007
It refers to the following advisory in a bundled third-party library:
https://typo3.org/security/advisory/typo3-psa-2019-007/
It refers to an incorrectly verified deserialization issue that can
lead at least to insecure deserialization issues.
No CVE has yet been issued, TTBOMK.
-- System Information:
Debian Release: 10.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.18.0-1-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Information forwarded
to debian-bugs-dist@lists.debian.org, Gunnar Wolf <gwolf@debian.org>:
Bug#928688; Package drupal7.
(Thu, 09 May 2019 17:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Gunnar Wolf <gwolf@debian.org>.
(Thu, 09 May 2019 17:36:03 GMT) (full text, mbox, link).
Message #10 received at 928688@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 drupal7: Insecure deserialization on bundled third-party library "Phar Stream Wrapper" (SA-CORE-2019-007) (CVE-2019-11831)
On Wed, May 08, 2019 at 04:13:30PM -0500, Gunnar Wolf wrote:
> Package: drupal7
> Version: 7.52-2+deb9u8
> Severity: grave
> Tags: security upstream
> Justification: user security hole
>
> Drupal security advisory SA-CORE-2019-007 was issued today:
>
> https://www.drupal.org/SA-CORE-2019-007
>
> It refers to the following advisory in a bundled third-party library:
>
> https://typo3.org/security/advisory/typo3-psa-2019-007/
>
> It refers to an incorrectly verified deserialization issue that can
> lead at least to insecure deserialization issues.
>
> No CVE has yet been issued, TTBOMK.
CVE-2019-11831 is used by the Drupal advisory now, but not the related
CVE-2019-11830.
Regards,
Salvatore
Changed Bug title to 'drupal7: Insecure deserialization on bundled third-party library "Phar Stream Wrapper" (SA-CORE-2019-007) (CVE-2019-11831)' from 'drupal7: Insecure deserialization on bundled third-party library "Phar Stream Wrapper" (SA-CORE-2019-007)'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 928688-submit@bugs.debian.org.
(Thu, 09 May 2019 17:36:03 GMT) (full text, mbox, link).
Reply sent
to Gunnar Wolf <gwolf@debian.org>:
You have taken responsibility.
(Fri, 17 May 2019 19:21:07 GMT) (full text, mbox, link).
Notification sent
to Gunnar Wolf <gwolf@gwolf.org>:
Bug acknowledged by developer.
(Fri, 17 May 2019 19:21:07 GMT) (full text, mbox, link).
Message #17 received at 928688-close@bugs.debian.org (full text, mbox, reply):
Source: drupal7
Source-Version: 7.52-2+deb9u9
We believe that the bug you reported is fixed in the latest version of
drupal7, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 928688@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gunnar Wolf <gwolf@debian.org> (supplier of updated drupal7 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 10 May 2019 18:49:10 -0500
Source: drupal7
Binary: drupal7
Architecture: source all
Version: 7.52-2+deb9u9
Distribution: stretch-security
Urgency: high
Maintainer: Gunnar Wolf <gwolf@debian.org>
Changed-By: Gunnar Wolf <gwolf@debian.org>
Description:
drupal7 - fully-featured content management framework
Closes: 928688
Changes:
drupal7 (7.52-2+deb9u9) stretch-security; urgency=high
.
* SA-CORE-2019-006: Fixes bundled library's insecure management of
deserialization (Closes: #928688)
Checksums-Sha1:
406ada89cb5e855a91d24bc828de356d1482ddf5 1877 drupal7_7.52-2+deb9u9.dsc
a99d8811368a6c37717b78e2784e187d93614c6b 216556 drupal7_7.52-2+deb9u9.debian.tar.xz
bad6ebbfa0e6e9c5ba1cfc4b375b3861dc0c13b5 2536612 drupal7_7.52-2+deb9u9_all.deb
9b94c889194e5a5a04b41b8982fbe4dbf23d2aa5 9076 drupal7_7.52-2+deb9u9_amd64.buildinfo
Checksums-Sha256:
b009be9849106ed0808ec23621f6048141b4f5ebcaf6bff5f9117f0112b2ccc7 1877 drupal7_7.52-2+deb9u9.dsc
b6912c6aa2c3f5d7997d3a4032d42df7c4f642d61edae4e23a21f735d6ab54c9 216556 drupal7_7.52-2+deb9u9.debian.tar.xz
339a9c3002af9cbe320de40dac1d3e0f0a9f0a1f24f0b50c151fde24ae4c99e8 2536612 drupal7_7.52-2+deb9u9_all.deb
4088d1c85c278ad650c404091bd626dd7cc3e63a956f4df915a4284549df9443 9076 drupal7_7.52-2+deb9u9_amd64.buildinfo
Files:
4a5ab29a88c02ccec5f3b0677d0347e1 1877 web extra drupal7_7.52-2+deb9u9.dsc
8102aa6b819cc736b15141bb7fc6c77d 216556 web extra drupal7_7.52-2+deb9u9.debian.tar.xz
33ffa2a2719f7938f427a76b76a16796 2536612 web extra drupal7_7.52-2+deb9u9_all.deb
69ddb9289642f7e874d7555debbf5fe2 9076 web extra drupal7_7.52-2+deb9u9_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfHleU5lojd9m99YgSd0qTkl5YZwFAlzWDrAACgkQSd0qTkl5
YZwBuQ//VZqdKDGjSo5nPs447xzNM3bM3cw4Q0WUfufdz3FkFuiGHJsaWmuQwlgV
XFK9IbRvGThrlb4Q0AKCQQ+ZrOMpcfAMcZWfEvnDeR30B6Rq9g9p4k6hzYsj0D5E
MtmBbob6DjW8X1OxzcPxhvjv6h9oHg0NdErgbHPGBJfmueVc34TgFOahwsrooYsp
AhEC6gALVMVy8qkLoiCFFXOFja3EJvcrKTfJ3M8Ksla7MZjzh4DNOfa5zvON/YTa
C2VI2hG6kUtpp/wdOH8CtPILPnyOF7LRJSLXdTVkEdFuYvNLkESVioV668e+Gzws
Nr1JZ4B8NW1IdEEIwJpffIQ6beiy2SzD1oS6Y9daUKUWuYiIgWZoQJFBVSosNFSK
OCenM8lF7Bl5mt4jiwx8sQ4ExpkboZFJ0fxSUVkR/rxs63Zd5KzsgntZrFmA8iTb
SqG+RTAJcsicP6DdSzli6sz7Clu98K5yIawceS1VTBHJ4phOGQ4twBKKLyC8EmxQ
7Xr0tIC5hocLRgSwU1UmoZkEuPjpmIxnUmSrthh8NuAQ7LkMLIYoyIU5SAkHdc2M
Knch5KErcywcztvq/bV2iiMTFn4TcJqPsnkYebuPxxQV7xoVestVU1xL1ZSTxafs
4MAOKsgW1an/VqbxwjP9sM5DhBflyDz4ftQfbia/9wGuF7CNYoo=
=LkmH
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:39:14 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon