[debian-lts-announce] 20190310 [SECURITY] [DLA 1707-1] symfony security update

https://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on-security-handlers

Several security vulnerabilities have been discovered in symfony, a PHP web application framework. Numerous symfony components are affected: Security, bundle readers, session handling, SecurityBundle, HttpFoundation, Form, and Security\Http.

The corresponding upstream advisories contain further details :

[CVE-2017-16652] https://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on
-security-handlers

[CVE-2017-16654] https://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-o ut-of-paths

[CVE-2018-11385] https://symfony.com/blog/cve-2018-11385-session-fixation-issue-for-gua rd-authentication

[CVE-2018-11408] https://symfony.com/blog/cve-2018-11408-open-redirect-vulnerability-on
-security-handlers

[CVE-2018-14773] https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and- risky-http-headers

[CVE-2018-19789] https://symfony.com/blog/cve-2018-19789-disclosure-of-uploaded-files-f ull-path

[CVE-2018-19790] https://symfony.com/blog/cve-2018-19790-open-redirect-vulnerability-wh en-using-security-http

For Debian 8 'Jessie', these problems have been fixed in version 2.3.21+dfsg-4+deb8u4.

We recommend that you upgrade your symfony packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

## 3.3.17 (2018-05-25)

  - security #cve-2018-11407 [Ldap] cast to string when     checking empty passwords

  - security #cve-2018-11408 [SecurityBundle] Fail if     security.http_utils cannot be configured

  - security #cve-2018-11406 clear CSRF tokens when the user     is logged out

  - security #cve-2018-11385 migrating session for     UsernamePasswordJsonAuthenticationListener

  - security #cve-2018-11386 [HttpFoundation] Break infinite     loop in PdoSessionHandler when MySQL is in loose mode

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

## 2.8.42 (2018-06-25)

  - bug #27669 [Filesystem] fix file lock on SunOS (fritzmg)

  - bug #27309 Fix surrogate not using original request     (Toflar)

  - bug #27630 [Validator][Form] Remove BOM in some xlf     files (gautierderuette)

  - bug #27591 [VarDumper] Fix dumping ArrayObject and     ArrayIterator instances (nicolas-grekas)

  - bug #27581 Fix bad method call with guard authentication     + session migration (weaverryan)

  - bug #27452 Avoid migration on stateless firewalls     (weaverryan)

  - bug #27514 [Debug] Pass previous exception to     FatalErrorException (pmontoya)

  - bug #26973 [HttpKernel] Set first trusted proxy as     REMOTE_ADDR in InlineFragmentRenderer. (kmadejski)

  - bug #27303 [Process] Consider 'executable' suffixes     first on Windows (sanmai)

  - bug #27297 Triggering RememberMe's loginFail() when     token cannot be created (weaverryan)

  - bug #27366 [DI] never inline lazy services     (nicolas-grekas)

## 2.8.41 (2018-05-25)

  - bug #27359 [HttpFoundation] Fix perf issue during     MimeTypeGuesser intialization (nicolas-grekas)

  - security #cve-2018-11408 [SecurityBundle] Fail if     security.http_utils cannot be configured

  - security #cve-2018-11406 clear CSRF tokens when the user     is logged out

  - security #cve-2018-11385 Adding session authentication     strategy to Guard to avoid session fixation

  - security #cve-2018-11385 Adding session strategy to ALL     listeners to avoid *any* possible fixation

  - security #cve-2018-11386 [HttpFoundation] Break infinite     loop in PdoSessionHandler when MySQL is in loose mode

## 2.8.40 (2018-05-21)

  - bug #26781 [Form] Fix precision of     MoneyToLocalizedStringTransformer's divisions on     transform() (syastrebov)

  - bug #27286 [Translation] Add Occitan plural rule     (kylekatarnls)

  - bug #27246 Disallow invalid characters in session.name     (ostrolucky)

  - bug #24805 [Security] Fix logout (MatTheCat)

  - bug #27141 [Process] Suppress warnings when open_basedir     is non-empty (cbj4074)

  - bug #27250 [Session] limiting :key for GET_LOCK to 64     chars (oleg-andreyev)

  - bug #27237 [Debug] Fix populating error_get_last() for     handled silent errors (nicolas-grekas)

  - bug #27236 [Filesystem] Fix usages of error_get_last()     (nicolas-grekas)

  - bug #27152 [HttpFoundation] use brace-style regex     delimiters (xabbuh)

  - feature #24896 Add CODE_OF_CONDUCT.md (egircys)

## 2.8.39 (2018-04-30)

  - bug #27067 [HttpFoundation] Fix setting session-related     ini settings (e-moe)

  - bug #27016 [Security][Guard]     GuardAuthenticationProvider::authenticate cannot return     null (biomedia-thomas)

  - bug #26831 [Bridge/Doctrine] count(): Parameter must be     an array or an object that implements Countable     (gpenverne)

  - bug #27044 [Security] Skip user checks if not     implementing UserInterface (chalasr)

  - bug #26014 [Security] Fixed being logged out on failed     attempt in guard (iltar)

  - bug #26910 Use new PHP7.2 functions in hasColorSupport     (johnstevenson)

  - bug #26999 [VarDumper] Fix dumping of SplObjectStorage     (corphi)

  - bug #25841 [DoctrineBridge] Fix bug when indexBy is meta     key in PropertyInfo\DoctrineExtractor (insekticid)

  - bug #26886 Don't assume that file binary exists on *nix     OS (teohhanhui)

  - bug #26643 Fix that ESI/SSI processing can turn a     'private' response 'public' (mpdude)

  - bug #26932 [Form] Fixed trimming choice values     (HeahDude)

  - bug #26875 [Console] Don't go past exact matches when     autocompleting (nicolas-grekas)

  - bug #26823 [Validator] Fix LazyLoadingMetadataFactory     with PSR6Cache for non classname if tested values isn't     existing class (Pascal Montoya, pmontoya)

  - bug #26834 [Yaml] Throw parse error on unfinished inline     map (nicolas-grekas)

## 2.8.38 (2018-04-06)

  - bug #26788 [Security] Load the user before pre/post auth     checks when needed (chalasr)

  - bug #26774 [SecurityBundle] Add missing argument to     security.authentication.provider.simple (i3or1s,     chalasr)

  - bug #26763 [Finder] Remove duplicate slashes in     filenames (helhum)

  - bug #26749 Add PHPDbg support to HTTP components     (hkdobrev)

  - bug #26609 [Console] Fix check of color support on     Windows (mlocati)

## 2.8.37 (2018-04-02)

  - bug #26727 [HttpCache] Unlink tmp file on error     (Chansig)

  - bug #26675 [HttpKernel] DumpDataCollector: do not flush     when a dumper is provided (ogizanagi)

  - bug #26663 [TwigBridge] Fix rendering of currency by     MoneyType (ro0NL)

  - bug #26677 Support phpdbg SAPI in Debug::enable()     (hkdobrev)

  - bug #26589 [Ldap] cast to string when checking empty     passwords (ismail1432)

  - bug #26621 [Form] no type errors with invalid submitted     data types (xabbuh)

  - bug #26337 [Finder] Fixed leading/trailing / in filename     (lyrixx)

  - bug #26584 [TwigBridge] allow html5 compatible rendering     of forms with null names (systemist)

  - bug #24401 [Form] Change datetime to datetime-local for     HTML5 datetime input (pierredup)

  - bug #26370 [Security] added userChecker to     SimpleAuthenticationProvider (i3or1s)

  - bug #26569 [BrowserKit] Fix cookie path handling when     $domain is null (dunglas)

  - bug #26598 Fixes #26563 (open_basedir restriction in     effect) (temperatur)

  - bug #26568 [Debug] Reset previous exception handler     earlier to prevent infinite loop (nicolas-grekas)

  - bug #26567 [DoctrineBridge] Don't rely on     ClassMetadataInfo->hasField in DoctrineOrmTypeGuesser     anymore (fancyweb)

  - bug #26356 [FrameworkBundle] HttpCache is not longer     abstract (lyrixx)

  - bug #26548 [DomCrawler] Change bad wording in     ChoiceFormField::untick (dunglas)

  - bug #26433 [DomCrawler] extract(): fix a bug when the     attribute list is empty (dunglas)

  - bug #26452 [Intl] Load locale aliases to support alias     fallbacks (jakzal)

  - bug #26450 [CssSelector] Fix CSS identifiers parsing -     they can start with dash (jakubkulhan)

## 2.8.36 (2018-03-05)

  - bug #26368 [WebProfilerBundle] Fix Debug toolbar breaks     app (xkobal)

## 2.8.35 (2018-03-01)

  - bug #26338 [Debug] Keep previous errors of Error     instances (Philipp91)

  - bug #26312 [Routing] Don't throw 405 when scheme     requirement doesn't match (nicolas-grekas)

  - bug #26298 Fix ArrayInput::toString() for     InputArgument::IS_ARRAY args (maximium)

  - bug #26236 [PropertyInfo] ReflectionExtractor: give a     chance to other extractors if no properties (dunglas)

  - bug #25557 [WebProfilerBundle] add a way to limit ajax     request (Simperfit)

  - bug #26228 [HttpFoundation] Fix missing 'throw' in     JsonResponse (nicolas-grekas)

  - bug #26211 [Console] Suppress warning from     sapi_windows_vt100_support (adawolfa)

  - bug #26156 Fixes #26136: Avoid emitting warning in     hasParameterOption() (greg-1-anderson)

  - bug #26183 [DI] Add null check for removeChild     (changmin.keum)

  - bug #26173 [Security] fix accessing request values     (xabbuh)

  - bug #26159 created validator.tl.xlf for     Form/Translations (ergiegonzaga)

  - bug #26100 [Routing] Throw 405 instead of 404 when     redirect is not possible (nicolas-grekas)

  - bug #26040 [Process] Check PHP_BINDIR before $PATH in     PhpExecutableFinder (nicolas-grekas)

  - bug #26012 Exit as late as possible (greg0ire)

  - bug #26111 [Security] fix merge of 2.7 into 2.8 + add     test case (dmaicher)

  - bug #25893 [Console] Fix hasParameterOption /     getParameterOption when used with multiple flags     (greg-1-anderson)

  - bug #25940 [Form] keep the context when validating forms     (xabbuh)

  - bug #25373 Use the PCRE_DOLLAR_ENDONLY modifier in route     regexes (mpdude)

  - bug #26010 [CssSelector] For AND operator, the left     operand should have parentheses, not only right operand     (Arnaud CHASSEUX)

  - bug #25971 [Debug] Fix bad registration of exception     handler, leading to mem leak (nicolas-grekas)

  - bug #25962 [Routing] Fix trailing slash redirection for     non-safe verbs (nicolas-grekas)

  - bug #25948 [Form] Fixed empty data on expanded     ChoiceType and FileType (HeahDude)

  - bug #25972 support sapi_windows_vt100_support for php     7.2+ (jhdxr)

  - bug #25744 [TwigBridge] Allow label translation to be     safe (MatTheCat)

## 2.8.34 (2018-01-29)

  - bug #25922 [HttpFoundation] Use the correct syntax for     session gc based on Pdo driver (tanasecosminromeo)

  - bug #25933 Disable CSP header on exception pages only in     debug (ostrolucky)

  - bug #25926 [Form] Fixed Button::setParent() when already     submitted (HeahDude)

  - bug #25927 [Form] Fixed submitting disabled buttons     (HeahDude)

  - bug #25891 [DependencyInjection] allow null values for     root nodes in YAML configs (xabbuh)

  - bug #25848 [Validator] add missing parent isset and add     test (Simperfit)

  - bug #25861 do not conflict with egulias/email-validator     2.0+ (xabbuh)

  - bug #25851 [Validator] Conflict with     egulias/email-validator 2.0 (emodric)

  - bug #25837 [SecurityBundle] Don't register in memory     users as services (chalasr)

  - bug #25835 [HttpKernel] DebugHandlersListener should     always replace the existing exception handler     (nicolas-grekas)

  - bug #25829 [Debug] Always decorate existing exception     handlers to deal with fatal errors (nicolas-grekas)

  - bug #25824 Fixing a bug where the dump() function     depended on bundle ordering (weaverryan)

  - bug #25789 Enableable ArrayNodeDefinition is disabled     for empty configuration (kejwmen)

  - bug #25816 Problem in phar see mergerequest #25579     (betzholz)

  - bug #25781 [Form] Disallow transform dates beyond the     year 9999 (curry684)

  - bug #25812 Copied NO language files to the new NB locale     (derrabus)

  - bug #25801 [Router] Skip anonymous classes when loading     annotated routes (pierredup)

  - bug #25657 [Security] Fix fatal error on non string     username (chalasr)

  - bug #25799 Fixed Request::__toString ignoring cookies     (Toflar)

  - bug #25755 [Debug] prevent infinite loop with faulty     exception handlers (nicolas-grekas)

  - bug #25771 [Validator] 19 digits VISA card numbers are     valid (xabbuh)

  - bug #25751 [FrameworkBundle] Add the missing `enabled`     session attribute (sroze)

  - bug #25750 [HttpKernel] Turn bad hosts into 400 instead     of 500 (nicolas-grekas)

  - bug #25490 [Serializer] Fixed throwing exception with     option JSON_PARTIAL_OUTPUT_ON_ERROR (diversantvlz)

  - bug #25709 Tweaked some styles in the profiler tables     (javiereguiluz)

  - feature #25669 [Security] Fail gracefully if the     security token cannot be unserialized from the session     (thewilkybarkid)

## 2.8.33 (2018-01-05)

  - bug #25532 [HttpKernel] Disable CSP header on exception     pages (ostrolucky)

  - bug #25491 [Routing] Use the default host even if     context is empty (sroze)

  - bug #25662 Dumper shouldn't use html format for phpdbg /     cli-server (jhoff)

  - bug #25529 [Validator] Fix access to root object when     using composite constraint (ostrolucky)

  - bug #25430 Fixes for Oracle in PdoSessionHandler     (elislenio)

  - bug #25599 Add application/ld+json format associated to     json (vincentchalamon)

  - bug #25407 [Console] Commands with an alias should not     be recognized as ambiguous (Simperfit)

  - bug #25521 [Console] fix a bug when you are passing a     default value and passing -n would output the index     (Simperfit)

  - bug #25489 [FrameworkBundle] remove esi/ssi renderers if     inactive (dmaicher)

  - bug #25427 Preserve percent-encoding in URLs when     performing redirects in the UrlMatcher (mpdude)

  - bug #25480 [FrameworkBundle] add missing validation     options to XSD file (xabbuh)

  - bug #25487 [Console] Fix a bug when passing a letter     that could be an alias (Simperfit)

  - bug #25233 [TwigBridge][Form] Fix hidden currency     element with Bootstrap 3 theme (julienfalque)

  - bug #25408 [Debug] Fix catching fatal errors in case of     nested error handlers (nicolas-grekas)

  - bug #25330 [HttpFoundation] Support 0 bit netmask in     IPv6 (`::/0`) (stephank)

  - bug #25410 [HttpKernel] Fix logging of post-terminate     errors/exceptions (nicolas-grekas)

  - bug #25323 [ExpressionLanguage] throw an SyntaxError     instead of an undefined index notice (Simperfit)

## 2.8.32 (2017-12-04)

  - bug #25278 Fix for missing whitespace control modifier     in form layout (kubawerlos)

  - bug #25236 [Form][TwigBridge] Fix collision between view     properties and form fields (yceruto)

  - bug #25258 [link] Prevent warnings when running link     with 2.7 (dunglas)

  - bug #24750 [Validator] ExpressionValidator should use     OBJECT_TO_STRING (Simperfit)

  - bug #25182 [HttpFoundation] AutExpireFlashBag should not     clear new flashes (Simperfit, sroze)

  - bug #25152 [Form] Don't rely on     `Symfony\Component\HttpFoundation\File\File` if     http-foundation isn't in FileType (issei-m)

  - bug #24987 [Console] Fix global console flag when used     in chain (Simperfit)

  - bug #25043 [Yaml] added ability for substitute aliases     when mapping is on single line (Micha&#x142; Strzelecki,     xabbuh)

  - bug #25102 [Form] Fixed ContextErrorException in     FileType (chihiro-adachi)

  - bug #25130 [DI] Fix handling of inlined definitions by     ContainerBuilder (nicolas-grekas)

  - bug #25072 [Bridge/PhpUnit] Remove trailing ' ' from     ClockMock::microtime(false) (joky)

  - bug #24956 Fix ambiguous pattern (weltling)

## 2.8.31 (2017-11-16)

  - security #24995 Validate redirect targets using the     session cookie domain (nicolas-grekas)

  - security #24994 Prevent bundle readers from breaking out     of paths (xabbuh)

  - security #24993 Ensure that submitted data are uploaded     files (xabbuh)

  - security #24992 Namespace generated CSRF tokens     depending of the current scheme (dunglas)

## 2.8.30 (2017-11-13)

  - bug #24952 [HttpFoundation] Fix session-related BC break     (nicolas-grekas, sroze)

  - bug #24929 [Console] Fix traversable autocomplete values     (ro0NL)

## 2.8.29 (2017-11-10)

  - bug #24888 [FrameworkBundle] Specifically inject the     debug dispatcher in the collector (ogizanagi)

  - bug #24909 [Intl] Update ICU data to 60.1 (jakzal)

  - bug #24906 [Bridge/ProxyManager] Remove direct reference     to value holder property (nicolas-grekas)

  - bug #24900 [Validator] Fix Costa Rica IBAN format     (Bozhidar Hristov)

  - bug #24904 [Validator] Add Belarus IBAN format (Bozhidar     Hristov)

  - bug #24531 [HttpFoundation] Fix forward-compat of     NativeSessionStorage with PHP 7.2 (sroze)

  - bug #24665 Fix dump panel hidden when closing a dump     (julienfalque)

  - bug #24814 [Intl] Make intl-data tests pass and save     language aliases again (jakzal)

  - bug #24764 [HttpFoundation] add Early Hints to Reponse     to fix test (Simperfit)

  - bug #24605 [FrameworkBundle] Do not load     property_access.xml if the component isn't installed     (ogizanagi)

  - bug #24606 [HttpFoundation] Fix FileBag issue with     associative arrays (enumag)

  - bug #24660 Escape trailing \ in QuestionHelper     autocompletion (kamazee)

  - bug #24644 [Security] Fixed auth provider authenticate()     cannot return void (glye)

  - bug #24642 [Routing] Fix resource miss (dunglas)

  - bug #24608 Adding the Form default theme files to be     warmed up in Twig's cache (weaverryan)

  - bug #24626 streamed response should return $this (DQNEO)

  - bug #24589 Username and password in basic auth are     allowed to contain '.' (Richard Quadling)

  - bug #24566 Fixed unsetting from loosely equal keys     OrderedHashMap (maryo)

  - bug #24570 [Debug] Fix same vendor detection in class     loader (Jean-Beru)

  - bug #24563 [Serializer] ObjectNormalizer: throw if     PropertyAccess isn't installed (dunglas)

  - bug #24571 [PropertyInfo] Add support for the iterable     type (dunglas)

  - bug #24579 pdo session fix (mxp100)

  - bug #24536 [Security] Reject remember-me token if     UserCheckerInterface::checkPostAuth() fails (kbond)

  - bug #24519 [Validator] [Twig] added magic method
    __isset() to File Constraint class (loru88)

  - bug #24532 [DI] Fix possible incorrect php-code when     dumped strings contains newlines (Strate)

  - bug #24502 [HttpFoundation] never match invalid IP     addresses (xabbuh)

  - bug #24460 [Form] fix parsing invalid floating point     numbers (xabbuh)

  - bug #24490 [HttpFoundation] Combine Cache-Control     headers (c960657)

  - bug #23711 Fix support for PHP 7.2 (Simperfit,     nicolas-grekas)

  - bug #24494 [HttpFoundation] Add missing     session.lazy_write config option (nicolas-grekas)

  - bug #24434 [Form] Use for=ID on radio/checkbox label.
    (Nyholm)

  - bug #24455 [Console] Escape command usage (sroze)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
122721	Debian DLA-1707-1 : symfony security update	Nessus	Debian Local Security Checks	medium
110952	Fedora 27 : php-symfony3 (2018-c8ddc44bbb)	Nessus	Fedora Local Security Checks	medium
110949	Fedora 27 : php-symfony (2018-2bdfc9dc67)	Nessus	Fedora Local Security Checks	medium

CVE-2017-16652

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins