[pkg-php-pear] Fix for CVE-2015-4050/symfony

David Prévot taffit at debian.org
Sat May 30 20:41:11 UTC 2015

Hi Moritz,

Le 30/05/2015 12:55, Moritz Mühlenhoff a écrit :
> On Wed, May 27, 2015 at 09:31:14AM -0400, David Prévot wrote:

>> Daniel just prepared a fixed symfony package backporting the patch for
>> CVE-2015-4050.

> Please upload to security-master, we can fix this through a DSA.

Uploaded, thanks. Here is an initial draft for the announcement.



Package        : symfony
CVE ID         : CVE-2015-4050

Jakub Zalas discovered that Symfony, a framework to create websites and
web applications, was vulnerable to unauthorized access. It was
affecting applications with ESI or SSI support enabled, that use the
FragmentListener. A malicious user could call any controller via the
/_fragment path by providing an invalid hash in the URL (or removing
it), bypassing URL signing and security rules.

For the stable distribution (jessie), this problem has been fixed in
version 2.3.21+dfsg-4+deb8u1.

For the testing distribution (stretch) and the unstable distribution
(sid), this problem has been fixed in version 2.7.0~beta2+dfsg-2.

We recommend that you upgrade your symfony packages.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-pear/attachments/20150530/e50d59a5/attachment.sig>

More information about the pkg-php-pear mailing list