[debian-lts-announce] 20190310 [SECURITY] [DLA 1707-1] symfony security update

FEDORA-2018-eba0006df2

FEDORA-2018-96d770ddc9

FEDORA-2018-ba0b683c10

https://symfony.com/blog/cve-2018-11385-session-fixation-issue-for-guard-authentication

DSA-4262

Several security vulnerabilities have been discovered in symfony, a PHP web application framework. Numerous symfony components are affected: Security, bundle readers, session handling, SecurityBundle, HttpFoundation, Form, and Security\Http.

The corresponding upstream advisories contain further details :

[CVE-2017-16652] https://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on
-security-handlers

[CVE-2017-16654] https://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-o ut-of-paths

[CVE-2018-11385] https://symfony.com/blog/cve-2018-11385-session-fixation-issue-for-gua rd-authentication

[CVE-2018-11408] https://symfony.com/blog/cve-2018-11408-open-redirect-vulnerability-on
-security-handlers

[CVE-2018-14773] https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and- risky-http-headers

[CVE-2018-19789] https://symfony.com/blog/cve-2018-19789-disclosure-of-uploaded-files-f ull-path

[CVE-2018-19790] https://symfony.com/blog/cve-2018-19790-open-redirect-vulnerability-wh en-using-security-http

For Debian 8 'Jessie', these problems have been fixed in version 2.3.21+dfsg-4+deb8u4.

We recommend that you upgrade your symfony packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

**Version 2.8.41** (2018-05-25)

  - bug #27359 [HttpFoundation] Fix perf issue during     MimeTypeGuesser intialization (nicolas-grekas)

  - security #cve-2018-11408 [SecurityBundle] Fail if     security.http_utils cannot be configured

  - security #cve-2018-11406 clear CSRF tokens when the user     is logged out

  - security #cve-2018-11385 Adding session authentication     strategy to Guard to avoid session fixation

  - security #cve-2018-11385 Adding session strategy to ALL     listeners to avoid *any* possible fixation

  - security #cve-2018-11386 [HttpFoundation] Break infinite     loop in PdoSessionHandler when MySQL is in loose mode

----

**Version 2.8.40** (2018-05-21)

  - bug #26781 [Form] Fix precision of     MoneyToLocalizedStringTransformer's divisions on     transform() (syastrebov)

  - bug #27286 [Translation] Add Occitan plural rule     (kylekatarnls)

  - bug #27246 Disallow invalid characters in session.name     (ostrolucky)

  - bug #24805 [Security] Fix logout (MatTheCat)

  - bug #27141 [Process] Suppress warnings when open_basedir     is non-empty (cbj4074)

  - bug #27250 [Session] limiting :key for GET_LOCK to 64     chars (oleg-andreyev)

  - bug #27237 [Debug] Fix populating error_get_last() for     handled silent errors (nicolas-grekas)

  - bug #27236 [Filesystem] Fix usages of error_get_last()     (nicolas-grekas)

  - bug #27152 [HttpFoundation] use brace-style regex     delimiters (xabbuh)

  - feature #24896 Add CODE_OF_CONDUCT.md (egircys)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

**Version 3.4.11** (2018-05-25)

  - bug #27364 [DI] Fix bad exception on uninitialized     references to non-shared services (nicolas-grekas)

  - bug #27359 [HttpFoundation] Fix perf issue during     MimeTypeGuesser intialization (nicolas-grekas)

  - security #cve-2018-11408 [SecurityBundle] Fail if     security.http_utils cannot be configured

  - security #cve-2018-11406 clear CSRF tokens when the user     is logged out

  - security #cve-2018-11385 migrating session for     UsernamePasswordJsonAuthenticationListener

  - security #cve-2018-11385 Adding session authentication     strategy to Guard to avoid session fixation

  - security #cve-2018-11385 Adding session strategy to ALL     listeners to avoid *any* possible fixation

  - security #cve-2018-11386 [HttpFoundation] Break infinite     loop in PdoSessionHandler when MySQL is in loose mode

  - bug #27341 [WebProfilerBundle] Fixed validator/dump     trace CSS (yceruto)

  - bug #27337 [FrameworkBundle] fix typo in     CacheClearCommand (emilielorenzo)

----

**Version 3.4.10** (2018-05-21)

  - bug #27264 [Validator] Use strict type in URL validator     (mimol91)

  - bug #27267 [DependencyInjection] resolve array env vars     (jamesthomasonjr)

  - bug #26781 [Form] Fix precision of     MoneyToLocalizedStringTransformer's divisions on     transform() (syastrebov)

  - bug #27286 [Translation] Add Occitan plural rule     (kylekatarnls)

  - bug #27271 [DI] Allow defining bindings on     ChildDefinition (nicolas-grekas)

  - bug #27246 Disallow invalid characters in session.name     (ostrolucky)

  - bug #27287 [PropertyInfo] fix resolving parent|self type     hints (nicolas-grekas)

  - bug #27281 [HttpKernel] Fix dealing with self/parent in     ArgumentMetadataFactory (fabpot)

  - bug #24805 [Security] Fix logout (MatTheCat)

  - bug #27265 [DI] Shared services should not be inlined in     non-shared ones (nicolas-grekas)

  - bug #27141 [Process] Suppress warnings when open_basedir     is non-empty (cbj4074)

  - bug #27250 [Session] limiting :key for GET_LOCK to 64     chars (oleg-andreyev)

  - bug #27237 [Debug] Fix populating error_get_last() for     handled silent errors (nicolas-grekas)

  - bug #27232 [Cache][Lock] Fix usages of error_get_last()     (nicolas-grekas)

  - bug #27236 [Filesystem] Fix usages of error_get_last()     (nicolas-grekas)

  - bug #27191 [DI] Display previous error messages when     throwing unused bindings (nicolas-grekas)

  - bug #27231 [FrameworkBundle] Fix cache:clear on vagrant     (nicolas-grekas)

  - bug #27222 [WebProfilerBundle][Cache] Fix misses     calculation when calling getItems (fsevestre)

  - bug #27227 [HttpKernel] Handle NoConfigurationException     'onKernelException()' (nicolas-grekas)

  - bug #27152 [HttpFoundation] use brace-style regex     delimiters (xabbuh)

  - bug #27158 [Cache] fix logic for fetching tag versions     on TagAwareAdapter (dmaicher)

  - bug #27143 [Console] By default hide the short exception     trace line from exception messages in Symfony's commands     (yceruto)

  - bug #27133 [Doctrine Bridge] fix priority for doctrine     event listeners (dmaicher)

  - bug #27135 [FrameworkBundle] Use the correct service id     for CachePoolPruneCommand in its compiler pass     (DemonTPx)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

**Version 4.0.11** (2018-05-25)

  - bug #27364 [DI] Fix bad exception on uninitialized     references to non-shared services (nicolas-grekas)

  - bug #27359 [HttpFoundation] Fix perf issue during     MimeTypeGuesser intialization (nicolas-grekas)

  - security #cve-2018-11408 [SecurityBundle] Fail if     security.http_utils cannot be configured

  - security #cve-2018-11406 clear CSRF tokens when the user     is logged out

  - security #cve-2018-11385 migrating session for     UsernamePasswordJsonAuthenticationListener

  - security #cve-2018-11385 Adding session authentication     strategy to Guard to avoid session fixation

  - security #cve-2018-11385 Adding session strategy to ALL     listeners to avoid *any* possible fixation

  - security #cve-2018-11386 [HttpFoundation] Break infinite     loop in PdoSessionHandler when MySQL is in loose mode

  - bug #27341 [WebProfilerBundle] Fixed validator/dump     trace CSS (yceruto)

  - bug #27337 [FrameworkBundle] fix typo in     CacheClearCommand (emilielorenzo)

----

**Version 4.0.10** (2018-05-21)

  - bug #27264 [Validator] Use strict type in URL validator     (mimol91)

  - bug #27267 [DependencyInjection] resolve array env vars     (jamesthomasonjr)

  - bug #26781 [Form] Fix precision of     MoneyToLocalizedStringTransformer's divisions on     transform() (syastrebov)

  - bug #27286 [Translation] Add Occitan plural rule     (kylekatarnls)

  - bug #27271 [DI] Allow defining bindings on     ChildDefinition (nicolas-grekas)

  - bug #27246 Disallow invalid characters in session.name     (ostrolucky)

  - bug #27287 [PropertyInfo] fix resolving parent|self type     hints (nicolas-grekas)

  - bug #27281 [HttpKernel] Fix dealing with self/parent in     ArgumentMetadataFactory (fabpot)

  - bug #24805 [Security] Fix logout (MatTheCat)

  - bug #27265 [DI] Shared services should not be inlined in     non-shared ones (nicolas-grekas)

  - bug #27141 [Process] Suppress warnings when open_basedir     is non-empty (cbj4074)

  - bug #27250 [Session] limiting :key for GET_LOCK to 64     chars (oleg-andreyev)

  - bug #27237 [Debug] Fix populating error_get_last() for     handled silent errors (nicolas-grekas)

  - bug #27232 [Cache][Lock] Fix usages of error_get_last()     (nicolas-grekas)

  - bug #27236 [Filesystem] Fix usages of error_get_last()     (nicolas-grekas)

  - bug #27191 [DI] Display previous error messages when     throwing unused bindings (nicolas-grekas)

  - bug #27231 [FrameworkBundle] Fix cache:clear on vagrant     (nicolas-grekas)

  - bug #27222 [WebProfilerBundle][Cache] Fix misses     calculation when calling getItems (fsevestre)

  - bug #27227 [HttpKernel] Handle NoConfigurationException     'onKernelException()' (nicolas-grekas)

  - bug #27152 [HttpFoundation] use brace-style regex     delimiters (xabbuh)

  - bug #27158 [Cache] fix logic for fetching tag versions     on TagAwareAdapter (dmaicher)

  - bug #27143 [Console] By default hide the short exception     trace line from exception messages in Symfony's commands     (yceruto)

  - bug #27133 [Doctrine Bridge] fix priority for doctrine     event listeners (dmaicher)

  - bug #27135 [FrameworkBundle] Use the correct service id     for CachePoolPruneCommand in its compiler pass     (DemonTPx)

  - feature #24896 Add CODE_OF_CONDUCT.md (egircys)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities have been found in the Symfony PHP framework which could lead to open redirects, cross-site request forgery, information disclosure, session fixation or denial of service.

ID	Name	Product	Family	Severity
122721	Debian DLA-1707-1 : symfony security update	Nessus	Debian Local Security Checks	high
120881	Fedora 28 : php-symfony (2018-eba0006df2)	Nessus	Fedora Local Security Checks	high
120738	Fedora 28 : php-symfony3 (2018-ba0b683c10)	Nessus	Fedora Local Security Checks	high
120636	Fedora 28 : php-symfony4 (2018-96d770ddc9)	Nessus	Fedora Local Security Checks	high
111535	Debian DSA-4262-1 : symfony - security update	Nessus	Debian Local Security Checks	critical

CVE-2018-11385

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins

high

high

high

high

critical