[pkg-php-pear] Fix for CVE-2015-4050/symfony
taffit at debian.org
Sat May 30 20:41:11 UTC 2015
Le 30/05/2015 12:55, Moritz Mühlenhoff a écrit :
> On Wed, May 27, 2015 at 09:31:14AM -0400, David Prévot wrote:
>> Daniel just prepared a fixed symfony package backporting the patch for
> Please upload to security-master, we can fix this through a DSA.
Uploaded, thanks. Here is an initial draft for the announcement.
Package : symfony
CVE ID : CVE-2015-4050
Jakub Zalas discovered that Symfony, a framework to create websites and
web applications, was vulnerable to unauthorized access. It was
affecting applications with ESI or SSI support enabled, that use the
FragmentListener. A malicious user could call any controller via the
/_fragment path by providing an invalid hash in the URL (or removing
it), bypassing URL signing and security rules.
For the stable distribution (jessie), this problem has been fixed in
For the testing distribution (stretch) and the unstable distribution
(sid), this problem has been fixed in version 2.7.0~beta2+dfsg-2.
We recommend that you upgrade your symfony packages.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 473 bytes
Desc: OpenPGP digital signature
More information about the pkg-php-pear