[pkg-php-pear] Bug#1055775: symfony: CVE-2023-46733
Salvatore Bonaccorso
carnil at debian.org
Sat Nov 11 07:56:25 GMT 2023
Source: symfony
Version: 5.4.30+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Control: found -1 5.4.29+dfsg-1
Control: found -1 5.4.23+dfsg-1
Hi,
The following vulnerability was published for symfony.
CVE-2023-46733[0]:
| Symfony is a PHP framework for web and console applications and a
| set of reusable PHP components. Starting in versions 5.4.21 and
| 6.2.7 and prior to versions 5.4.31 and 6.3.8,
| `SessionStrategyListener` does not migrate the session after every
| successful login. It does so only in case the logged in user changes
| by means of checking the user identifier. In some use cases, the
| user identifier doesn't change between the verification phase and
| the successful login, while the token itself changes from one type
| (partially-authenticated) to another (fully-authenticated). When
| this happens, the session id should be regenerated to prevent
| possible session fixations, which is not the case at the moment. As
| of versions 5.4.31 and 6.3.8, Symfony now checks the type of the
| token in addition to the user identifier before deciding whether the
| session id should be regenerated.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-46733
https://www.cve.org/CVERecord?id=CVE-2023-46733
[1] https://github.com/symfony/symfony/security/advisories/GHSA-m2wj-r6g3-fxfx
[2] https://github.com/symfony/symfony/commit/dc356499d5ceb86f7cf2b4c7f032eca97061ed74
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.5.0-4-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
More information about the pkg-php-pear
mailing list