Debian Security Advisory
DSA-3402-1 symfony -- security update
- Date Reported:
- 24 Nov 2015
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2015-8124, CVE-2015-8125.
- More information:
Several vulnerabilities have been discovered in symfony, a framework to create websites and web applications. The Common Vulnerabilities and Exposures project identifies the following problems:
The RedTeam Pentesting GmbH team discovered a session fixation vulnerability within the
Remember Melogin feature, allowing an attacker to impersonate the victim towards the web application if the session id value was previously known to the attacker.
Several potential remote timing attack vulnerabilities were discovered in classes from the Symfony Security component and in the legacy CSRF implementation from the Symfony Form component.
For the stable distribution (jessie), these problems have been fixed in version 2.3.21+dfsg-4+deb8u2.
For the unstable distribution (sid), these problems have been fixed in version 2.7.7+dfsg-1.
We recommend that you upgrade your symfony packages.