[SECURITY] [DLA 1659-1] drupal7 security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : drupal7
Version : 7.32-1+deb8u14
CVE ID : CVE-2019-6339
A remote code execution vulnerability exists in PHP's built-in phar
stream wrapper when performing file operations on an untrusted phar://
URI. Some Drupal code (core, contrib, and custom) may be performing
file operations on insufficiently validated user input, thereby being
exposed to this vulnerability.
With this update a new replacement stream wrapper from typo3 project
is used instead of the built-in one.
For Debian 8 "Jessie", this problem has been fixed in version
7.32-1+deb8u14.
We recommend that you upgrade your drupal7 packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlxVOBcACgkQhj1N8u2c
KO8bQg/7BNQGxUOaa73QPJOmmJl5PFb+V6zHmnZyYC9A8auPZmkPmWdG07kupa5O
SUyjbrHCJwwJ7BjRf9ZLK9iAKMG9CazlkqFnD21e/ounqs7Hhuvnj8tpRp4NebTp
WtSG2xV29xwc2sVORHaCjWKIqTtV29AZVygyB4Ovi7p5Pu3LBSa5pg1pUouGYp60
zuGIIlkljq9dt71tBkov4LgHeQNRpQdF4MrXJ2gf+uWFgKzlrs7+zUjYbsA2Y//b
q+NPuMH0FjirgYDJhJRdvfhbqLv92RKpW/R7kh4FwAyjNbCHqVG8GjBbSZwPYcg5
q354MGpw9ZG4TQshSlzk8cBZKuI3xx5B1tT/x8Usp5oaj+Y7ReLJ9AYpQlrm7ZxA
UgrvDxe67f+yW5d9Z8RfhcnHRQVtajVqs4SsdH1ZBBRLggSVtKAJwPmFR+45PhsR
IDQ7IwQPNUccU9apksgxHnRkNqe4iPVSv6oIy1+3QvO9RUDuLSaWKpNlDpUNiHEj
8aZeNRkMoAifYcjEDiPqlNX+5lw9WjR+2Z2GgNSxci2sgmXbmvUD9eWNjc3KakVB
2F6h8K5ocPF2u7PwjO6Hr2DvTUc+9+5b7BD3q481QfjRj4nN1h3s1Msm9JgMo2fl
5U0042Y4tWfvbDFSJB9fBBJ1wq+g+Bo7sY+bWpo88Mgd2IlSpDw=
=zlbu
-----END PGP SIGNATURE-----
Reply to: