-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : drupal7 Version : 7.32-1+deb8u14 CVE ID : CVE-2019-6339
A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. With this update a new replacement stream wrapper from typo3 project is used instead of the built-in one. For Debian 8 "Jessie", this problem has been fixed in version 7.32-1+deb8u14. We recommend that you upgrade your drupal7 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlxVOBcACgkQhj1N8u2c KO8bQg/7BNQGxUOaa73QPJOmmJl5PFb+V6zHmnZyYC9A8auPZmkPmWdG07kupa5O SUyjbrHCJwwJ7BjRf9ZLK9iAKMG9CazlkqFnD21e/ounqs7Hhuvnj8tpRp4NebTp WtSG2xV29xwc2sVORHaCjWKIqTtV29AZVygyB4Ovi7p5Pu3LBSa5pg1pUouGYp60 zuGIIlkljq9dt71tBkov4LgHeQNRpQdF4MrXJ2gf+uWFgKzlrs7+zUjYbsA2Y//b q+NPuMH0FjirgYDJhJRdvfhbqLv92RKpW/R7kh4FwAyjNbCHqVG8GjBbSZwPYcg5 q354MGpw9ZG4TQshSlzk8cBZKuI3xx5B1tT/x8Usp5oaj+Y7ReLJ9AYpQlrm7ZxA UgrvDxe67f+yW5d9Z8RfhcnHRQVtajVqs4SsdH1ZBBRLggSVtKAJwPmFR+45PhsR IDQ7IwQPNUccU9apksgxHnRkNqe4iPVSv6oIy1+3QvO9RUDuLSaWKpNlDpUNiHEj 8aZeNRkMoAifYcjEDiPqlNX+5lw9WjR+2Z2GgNSxci2sgmXbmvUD9eWNjc3KakVB 2F6h8K5ocPF2u7PwjO6Hr2DvTUc+9+5b7BD3q481QfjRj4nN1h3s1Msm9JgMo2fl 5U0042Y4tWfvbDFSJB9fBBJ1wq+g+Bo7sY+bWpo88Mgd2IlSpDw= =zlbu -----END PGP SIGNATURE-----
