[Git][security-tracker-team/security-tracker][master] add one more symfony issue and references
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Thu May 21 08:39:28 BST 2026
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
9f3878c9 by Moritz Muehlenhoff at 2026-05-21T09:38:34+02:00
add one more symfony issue and references
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -158,50 +158,100 @@ CVE-2026-XXXX [ROHC protocol dissector crash]
[bookworm] - wireshark <no-dsa> (Minor issue)
NOTE: https://www.wireshark.org/security/wnpa-sec-2026-51.html
NOTE: https://gitlab.com/wireshark/wireshark/-/work_items/21243
+CVE-2026-46626
+ - symfony 7.4.12+dfsg-1
+ NOTE: https://symfony.com/blog/cve-2026-46626-symfonyruntime-cve-2024-50340-patch-bypass-via-parse-str-sapi-argv-mismatch
+CVE-2026-45070
+ - symfony 7.4.12+dfsg-1
+ NOTE: https://symfony.com/blog/cve-2026-45070-email-header-injection-via-non-token-characters-in-mime-parameter-names
CVE-2026-45065
- symfony 7.4.12+dfsg-1
+ NOTE: https://symfony.com/blog/cve-2026-45065-urlgenerator-route-requirement-bypass-via-unanchored-regex-alternation-off-site-host-url-injection
CVE-2026-45071
- symfony 7.4.12+dfsg-1
+ NOTE: https://symfony.com/blog/cve-2026-45071-xxe-local-file-disclosure-in-domcrawler-addxmlcontent-via-validateonparse-true
CVE-2026-45066
- symfony 7.4.12+dfsg-1
+ [bookworm] - symfony <not-affected> (Vulnerable code not present, introduced in 6.1)
+ [bullseye] - symfony <not-affected> (Vulnerable code not present, introduced in 6.1)
+ NOTE: https://symfony.com/blog/cve-2026-45066-htmlsanitizer-allowlinkhosts-allowmediahosts-bypass-via-url-parser-differentials-and-area-misclassification
CVE-2026-45069
- symfony 7.4.12+dfsg-1
+ [bookworm] - symfony <not-affected> (Vulnerable code not present, introduced in 6.3)
+ NOTE: https://symfony.com/blog/cve-2026-45069-oidctokenhandler-accepts-jwts-missing-aud-iss-exp-claims
CVE-2026-45063
- symfony 7.4.12+dfsg-1
+ NOTE: https://symfony.com/blog/cve-2026-45063-identity-spoofing-via-unanchored-dn-regex-in-x509authenticator
CVE-2026-45067
- symfony 7.4.12+dfsg-1
+ NOTE: https://symfony.com/blog/cve-2026-45067-email-header-smtp-command-injection-via-crlf-in-symfony-component-mime-address
CVE-2026-45068
- symfony 7.4.12+dfsg-1
+ NOTE: https://symfony.com/blog/cve-2026-45068-argument-injection-in-sendmailtransport-via-dash-prefixed-recipient-address
CVE-2026-45756
- symfony 7.4.12+dfsg-1
+ [trixie] - symfony <not-affected> (Vulnerable code not present, introduced in 7.3)
+ [bookworm] - symfony <not-affected> (Vulnerable code not present, introduced in 7.3)
+ [bullseye] - symfony <not-affected> (Vulnerable code not present, introduced in 7.3)
+ NOTE: https://symfony.com/blog/cve-2026-45756-jsonpath-evaluates-attacker-controlled-regular-expressions-in-match-search-without-limits-redos
CVE-2026-45755
- symfony 7.4.12+dfsg-1
+ [trixie] - symfony <not-affected> (Vulnerable code not present, introduced in 7.2)
+ [bookworm] - symfony <not-affected> (Vulnerable code not present, introduced in 7.2)
+ [bullseye] - symfony <not-affected> (Vulnerable code not present, introduced in 7.2)
+ NOTE: https://symfony.com/blog/cve-2026-45755-mailtrap-mailer-webhook-parser-never-verifies-the-x-mt-signature-hmac-unauthenticated-webhook-event-injection
CVE-2026-45064
- symfony 7.4.12+dfsg-1
+ [bookworm] - symfony <not-affected> (Vulnerable code not present, introduced in 6.1)
+ [bullseye] - symfony <not-affected> (Vulnerable code not present, introduced in 6.1)
+ NOTE: https://symfony.com/blog/cve-2026-45064-htmlsanitizer-url-attributes-pass-through-bidi-override-characters-visual-href-spoofing
CVE-2026-45077
- symfony 7.4.12+dfsg-1
+ NOTE: https://symfony.com/blog/cve-2026-45077-unauthenticated-php-object-deserialization-in-monologbridge-server-log-listener
CVE-2026-45075
- symfony 7.4.12+dfsg-1
+ [trixie] - symfony <not-affected> (Vulnerable code not present, introduced in 7.4)
+ [bookworm] - symfony <not-affected> (Vulnerable code not present, introduced in 7.4)
+ [bullseye] - symfony <not-affected> (Vulnerable code not present, introduced in 7.4)
+ NOTE: https://symfony.com/blog/cve-2026-45075-head-request-bypasses-methods-get-filter-in-isgranted-issignaturevalid-iscsrftokenvalid
CVE-2026-45133
- symfony 7.4.12+dfsg-1
+ NOTE: https://symfony.com/blog/cve-2026-45133-yaml-parser-stack-exhaustion-via-unbounded-recursion-in-nested-blocks-sequences-and-mappings
CVE-2026-45072
- symfony 7.4.12+dfsg-1
+ [bookworm] - symfony <not-affected> (Vulnerable code not present)
+ [bullseye] - symfony <not-affected> (Vulnerable code not present)
+ NOTE: https://symfony.com/blog/cve-2026-45072-stored-xss-in-webprofiler-codeextension-fileexcerpt-unescaped-non-php-file-rendering
CVE-2026-45073
- symfony 7.4.12+dfsg-1
+ NOTE: https://symfony.com/blog/cve-2026-45073-sql-injection-in-pdoadapter-doclear-via-unsanitized-prefix
CVE-2026-45304
- symfony 7.4.12+dfsg-1
+ NOTE: https://symfony.com/blog/cve-2026-45304-yaml-parser-exponential-memory-allocation-via-recursive-collection-alias-expansion-billion-laughs
CVE-2026-45305
- symfony 7.4.12+dfsg-1
+ NOTE: https://symfony.com/blog/cve-2026-45305-yaml-parser-redos-via-catastrophic-backtracking-in-parser-cleanup-regex
CVE-2026-45074
- symfony 7.4.12+dfsg-1
+ [trixie] - symfony <not-affected> (Vulnerable code not present, introduced in 7.1)
+ [bookworm] - symfony <not-affected> (Vulnerable code not present, introduced in 7.1)
+ [bullseye] - symfony <not-affected> (Vulnerable code not present, introduced in 7.1)
+ NOTE: https://symfony.com/blog/cve-2026-45074-cas2handler-derives-cas-service-url-from-client-host-header-cross-service-ticket-replay
CVE-2026-45754
- symfony 7.4.12+dfsg-1
+ [bookworm] - symfony <not-affected> (Vulnerable code not present, introduced in 6.4)
+ [bullseye] - symfony <not-affected> (Vulnerable code not present, introduced in 6.4)
+ NOTE: https://symfony.com/blog/cve-2026-45754-mailjet-and-lox24-webhook-parsers-never-verify-the-configured-secret-unauthenticated-event-injection
CVE-2026-47212
- symfony 7.4.12+dfsg-1
+ [bookworm] - symfony <not-affected> (Vulnerable code not present, introduced in 6.4)
+ [bullseye] - symfony <not-affected> (Vulnerable code not present, introduced in 6.4)
+ NOTE: https://symfony.com/blog/cve-2026-47212-twilio-notifier-webhook-parser-never-verifies-the-x-twilio-signature-hmac-unauthenticated-webhook-event-injection
CVE-2026-45753
- symfony 7.4.12+dfsg-1
-CVE-2026-46626
- - symfony 7.4.12+dfsg-1
+ [bookworm] - symfony <not-affected> (Vulnerable code not present, introduced in 6.1)
+ [bullseye] - symfony <not-affected> (Vulnerable code not present, introduced in 6.1)
+ NOTE: https://symfony.com/blog/cve-2026-45753-htmlsanitizer-urlattributesanitizer-omits-action-formaction-poster-cite-javascript-uri-survives-sanitization-xss
CVE-2026-47373 (Crypt::SaltedHash versions through 0.09 for Perl is susceptible to tim ...)
- libcrypt-saltedhash-perl <unfixed>
NOTE: https://lists.security.metacpan.org/cve-announce/msg/40249915/
=====================================
data/dsa-needed.txt
=====================================
@@ -106,6 +106,8 @@ smb4k/oldstable
spip
Maintainer prepared an update
--
+symfony
+--
sympa/oldstable
--
thunderbird (jmm)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f3878c98c17c4fd8abf383a06b1705da2830aff
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f3878c98c17c4fd8abf383a06b1705da2830aff
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260521/b999f0c4/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list