[Git][security-tracker-team/security-tracker][master] Update status for CVE-2018-11407/symfony
Salvatore Bonaccorso
carnil at debian.org
Fri Aug 3 20:48:59 BST 2018
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
36d56da0 by Salvatore Bonaccorso at 2018-08-03T19:48:47Z
Update status for CVE-2018-11407/symfony
The fix was completely applied for stretch, as it used directly the
https://github.com/symfony/symfony/commit/2f5bd18d82f4a8911d549d14c72bf935602834a9
based fix and casting to string the $password variiable. Thus stretch
never really affected by CVE-2018-11407.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -8706,6 +8706,7 @@ CVE-2018-11408 (The security handlers in the Security component in Symfony in 2.
NOTE: https://symfony.com/blog/cve-2018-11408-open-redirect-vulnerability-on-security-handlers
CVE-2018-11407 (An issue was discovered in the Ldap component in Symfony 2.8.x before ...)
- symfony 3.4.12+dfsg-1
+ [stretch] - symfony <not-affected> (Incomplete fix for CVE-2016-2403 not applied)
NOTE: https://symfony.com/blog/cve-2018-11407-unauthorized-access-on-a-misconfigured-ldap-server-when-using-an-empty-password
CVE-2018-11406 (An issue was discovered in the Security component in Symfony 2.7.x ...)
- symfony 3.4.12+dfsg-1
@@ -114530,6 +114531,10 @@ CVE-2016-2403 (Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers
- symfony 2.8.6+dfsg-1
[jessie] - symfony <not-affected> (Vulnerable code not present)
NOTE: http://symfony.com/blog/cve-2016-2403-unauthorized-access-on-a-misconfigured-ldap-server-when-using-an-empty-password
+ NOTE: Original commit incomplete and did not test for 'null' password resulting in
+ NOTE: CVE-2018-11407. Complete fix as per
+ NOTE: https://github.com/symfony/symfony/pull/26589
+ NOTE: https://github.com/symfony/symfony/commit/2f5bd18d82f4a8911d549d14c72bf935602834a9
CVE-2013-7450 (Pulp before 2.3.0 uses the same the same certificate authority key and ...)
NOT-FOR-US: Pulp (Red Hat)
CVE-2013-7448 (Directory traversal vulnerability in wiki.c in didiwiki allows remote ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/36d56da051e2dc4b5cf6a3b5ac435a41d70e375f
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/36d56da051e2dc4b5cf6a3b5ac435a41d70e375f
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180803/69230872/attachment.html>
More information about the debian-security-tracker-commits
mailing list