[Git][security-tracker-team/security-tracker][master] Document more symfony issues

Sun Jul 22 01:27:35 BST 2018

David Prévot pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7071bbd2 by David Prévot at 2018-07-22T08:24:13+08:00
Document more symfony issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================

--- a/data/CVE/list
+++ b/data/CVE/list
@@ -40813,8 +40813,10 @@ CVE-2017-16792 (Stored cross-site scripting (XSS) vulnerability in "geminab
 	NOT-FOR-US: geminabox
 CVE-2017-16791
 	RESERVED
-CVE-2017-16790
-	RESERVED
+CVE-2017-16790 (Ensure that submitted data are uploaded files)
+	- symfony 3.4.0+dfsg-1
+	NOTE: https://symfony.com/blog/cve-2017-16790-ensure-that-submitted-data-are-uploaded-files
+	NOTE: https://github.com/symfony/symfony/pull/24993
 CVE-2017-16789 (Cross-site scripting (XSS) vulnerability in Integration Matters nJAMS ...)
 	NOT-FOR-US: TIBCO
 CVE-2017-16788 (Directory traversal vulnerability in the "Upload Groupkey" ...)
@@ -41123,15 +41125,19 @@ CVE-2017-16656
 	RESERVED
 CVE-2017-16655
 	RESERVED
-CVE-2017-16654
-	RESERVED
-CVE-2017-16653
-	RESERVED
+CVE-2017-16654 (Intl bundle readers breaking out of paths)
+	- symfony 3.4.0+dfsg-1
+	NOTE: https://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths
+	NOTE: https://github.com/symfony/symfony/pull/24994
+CVE-2017-16653 (CSRF protection does not use different tokens for HTTP and HTTPS)
+	- symfony 3.4.0+dfsg-1
+	NOTE: https://symfony.com/blog/cve-2017-16653-csrf-protection-does-not-use-different-tokens-for-http-and-https
+	NOTE: https://github.com/symfony/symfony/pull/24992
 CVE-2017-16652 (An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before ...)
 	- symfony 3.4.0+dfsg-1
 	NOTE: https://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on-security-handlers
 	NOTE: https://github.com/symfony/symfony/pull/24995
-	NOTE: See CVE-2018-11408 to adress original incomplete fix for CVE-2017-16652
+	NOTE: See CVE-2018-11408 to address original incomplete fix for CVE-2017-16652
 CVE-2017-16651 (Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before ...)
 	{DSA-4030-1 DLA-1193-1}
 	- roundcube 1.3.3+dfsg.1-1
@@ -57162,8 +57168,9 @@ CVE-2017-11367 (The shoco_decompress function in the API in shoco through 2017-0
 	NOT-FOR-US: shoco
 CVE-2017-11366 (components/filemanager/class.filemanager.php in Codiad before 2.8.4 is ...)
 	NOT-FOR-US: Codiad
-CVE-2017-11365
-	RESERVED
+CVE-2017-11365 (Empty passwords validation issue)
+	- symfony <not-affected> (introduced in versions that were never packaged in Debian)
+	NOTE: https://symfony.com/blog/cve-2017-11365-empty-passwords-validation-issue
 CVE-2017-11364 (The CMS installer in Joomla! before 3.7.4 does not verify a user's ...)
 	NOT-FOR-US: Joomla
 CVE-2017-11363



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7071bbd2343bea12faaeeffefc15cf58ea605f95

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7071bbd2343bea12faaeeffefc15cf58ea605f95
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180722/31cf6d95/attachment.html>
