Bug#928688: marked as done (drupal7: Insecure deserialization on bundled third-party library "Phar Stream Wrapper" (SA-CORE-2019-007) (CVE-2019-11831))

[Debian Bug Tracking System]

Your message dated Fri, 17 May 2019 19:17:08 +0000
with message-id <e1hrils-000alu...@fasolo.debian.org>
and subject line Bug#928688: fixed in drupal7 7.52-2+deb9u9
has caused the Debian Bug report #928688,
regarding drupal7: Insecure deserialization on bundled third-party library 
"Phar Stream Wrapper" (SA-CORE-2019-007) (CVE-2019-11831)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
928688: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928688
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: drupal7
Version: 7.52-2+deb9u8
Severity: grave
Tags: security upstream
Justification: user security hole

Drupal security advisory SA-CORE-2019-007 was issued today:

    https://www.drupal.org/SA-CORE-2019-007

It refers to the following advisory in a bundled third-party library:

    https://typo3.org/security/advisory/typo3-psa-2019-007/

It refers to an incorrectly verified deserialization issue that can
lead at least to insecure deserialization issues.

No CVE has yet been issued, TTBOMK.

-- System Information:
Debian Release: 10.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.18.0-1-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---

--- Begin Message ---

Source: drupal7
Source-Version: 7.52-2+deb9u9

We believe that the bug you reported is fixed in the latest version of
drupal7, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 928...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gunnar Wolf <gw...@debian.org> (supplier of updated drupal7 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 10 May 2019 18:49:10 -0500
Source: drupal7
Binary: drupal7
Architecture: source all
Version: 7.52-2+deb9u9
Distribution: stretch-security
Urgency: high
Maintainer: Gunnar Wolf <gw...@debian.org>
Changed-By: Gunnar Wolf <gw...@debian.org>
Description:
 drupal7    - fully-featured content management framework
Closes: 928688
Changes:
 drupal7 (7.52-2+deb9u9) stretch-security; urgency=high
 .
   * SA-CORE-2019-006: Fixes bundled library's insecure management of
     deserialization (Closes: #928688)
Checksums-Sha1:
 406ada89cb5e855a91d24bc828de356d1482ddf5 1877 drupal7_7.52-2+deb9u9.dsc
 a99d8811368a6c37717b78e2784e187d93614c6b 216556 
drupal7_7.52-2+deb9u9.debian.tar.xz
 bad6ebbfa0e6e9c5ba1cfc4b375b3861dc0c13b5 2536612 drupal7_7.52-2+deb9u9_all.deb
 9b94c889194e5a5a04b41b8982fbe4dbf23d2aa5 9076 
drupal7_7.52-2+deb9u9_amd64.buildinfo
Checksums-Sha256:
 b009be9849106ed0808ec23621f6048141b4f5ebcaf6bff5f9117f0112b2ccc7 1877 
drupal7_7.52-2+deb9u9.dsc
 b6912c6aa2c3f5d7997d3a4032d42df7c4f642d61edae4e23a21f735d6ab54c9 216556 
drupal7_7.52-2+deb9u9.debian.tar.xz
 339a9c3002af9cbe320de40dac1d3e0f0a9f0a1f24f0b50c151fde24ae4c99e8 2536612 
drupal7_7.52-2+deb9u9_all.deb
 4088d1c85c278ad650c404091bd626dd7cc3e63a956f4df915a4284549df9443 9076 
drupal7_7.52-2+deb9u9_amd64.buildinfo
Files:
 4a5ab29a88c02ccec5f3b0677d0347e1 1877 web extra drupal7_7.52-2+deb9u9.dsc
 8102aa6b819cc736b15141bb7fc6c77d 216556 web extra 
drupal7_7.52-2+deb9u9.debian.tar.xz
 33ffa2a2719f7938f427a76b76a16796 2536612 web extra 
drupal7_7.52-2+deb9u9_all.deb
 69ddb9289642f7e874d7555debbf5fe2 9076 web extra 
drupal7_7.52-2+deb9u9_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEfHleU5lojd9m99YgSd0qTkl5YZwFAlzWDrAACgkQSd0qTkl5
YZwBuQ//VZqdKDGjSo5nPs447xzNM3bM3cw4Q0WUfufdz3FkFuiGHJsaWmuQwlgV
XFK9IbRvGThrlb4Q0AKCQQ+ZrOMpcfAMcZWfEvnDeR30B6Rq9g9p4k6hzYsj0D5E
MtmBbob6DjW8X1OxzcPxhvjv6h9oHg0NdErgbHPGBJfmueVc34TgFOahwsrooYsp
AhEC6gALVMVy8qkLoiCFFXOFja3EJvcrKTfJ3M8Ksla7MZjzh2DNOfa5zvON/YTa
C2VI2hG6kUtpp/wdOH8CtPILPnyOF7LRJSLXdTVkEdFuYvNLkESVioV668e+Gzws
Nr1JZ4B8NW1IdEEIwJpffIQ6beiy2SzD1oS6Y9daUKUWuYiIgWZoQJFBVSosNFSK
OCenM8lF7Bl5mt4jiwx8sQ4ExpkboZFJ0fxSUVkR/rxs63Zd5KzsgntZrFmA8iTb
SqG+RTAJcsicP6DdSzli6sz7Clu98K5yIawceS1VTBHJ4phOGQ4twBKKLyC8EmxQ
7Xr0tIC5hocLRgSwU1UmoZkEuPjpmIxnUmSrthh8NuAQ7LkMLIYoyIU5SAkHdc2M
Knch5KErcywcztvq/bV2iiMTFn4TcJqPsnkYebuPxxQV7xoVestVU1xL1ZSTxafs
4MAOKsgW1an/VqbxwjP9sM5DhBflyDz4ftQfbia/9wGuF7CNYoo=
=LkmH
-----END PGP SIGNATURE-----

--- End Message ---