[pkg-php-pear] Symfony: CVE-2015-4050 (ESI unauthorized access)

David Prévot david at tilapin.org
Wed May 27 12:39:06 UTC 2015

Hi Daniel,

Le 27/05/2015 03:26, Daniel Beyer a écrit :

> today security releases for Symfony targeting CVE-2015-4050 "ESI
> unauthorized access" have made available by upstream [1]. I updated the
> jessie branch to contain a proper patch for this.
> Since I was not sure whether this is urgency "high" or "critical", I did
> not update d/changelog, thus please run a "# gbd dch --release" to
> update it accordingly before uploading symfony to the archives.

Upload targeted to jessie-security should be urgency=high. I’ll follow
up with a request to the security team while keeping you in the loop.
Did you already give the fixed package a try (I don’t really use
php-symfony-http-kernel other than running the test suite against it)?

> Upstream seems not to release a fix for the 2.7 betas, soon. I guess
> cherry-picking d320d27699abcea12479cf608908fa91bcc133d4 from upstream
> should be enough (as it was for the 2.3 series). I've done so in
> wip/2.7-CVE-2015-4050. Please have a look into this branch and merge it
> into master (+ upload to sid), if you think its okay.

Thank you. We should also work around #786803 to make sure the fix
reaches testing in a timely manner (E.g., by overriding
php-symfony-security-* into php-symfony-security instead of relying on
the versioned provides).



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-pear/attachments/20150527/acd4405d/attachment.sig>

More information about the pkg-php-pear mailing list