[pkg-php-pear] Symfony in stable: Fix for CVE-2016-4423 in git
dabe at deb.ymc.ch
Tue May 10 05:40:36 UTC 2016
I prepared a fix for CVE-2016-4423  in branch
I recycled the Debian version 2.3.21+dfsg-4+deb8u3, since it was never
uploaded to the archive in past. Please have a look on it and merge down
or cherry-pick whatever you think is appropriate.
In case this should be fixed via DSA, here is an initial draft for it:
In Mitre's CVE dictionary: CVE-2016-1902, CVE-2016-4423
Several vulnerabilities have been discovered in symfony, a framework to
create websites and web applications. The Common Vulnerabilities and
Exposures project identifies the following problems:
Lander Brandt discovered that on PHP installations where the
random_bytes() function is not available, Symfony falls back
to using openssl_random_pseudo_bytes(). If that does not work,
Symfony generates a secure random number using uniqid() and
mt_rand(), which are not suitable for cryptographic contexts.
Marek Alaksa of Citadelo discovered that when an authentication form
is submitted by the user and if the user does not exist, the submitted
username is stored in the session. If an attacker submit multiple
requests with large usernames, he can potentially fill up the
For the stable distribution (jessie), these problems have been fixed in
We recommend that you upgrade your symfony packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Note that there is an other CVE (CVE-2016-2403 ), which does not
affect the 2.3 series. But since 2.8 and 3.0 are affected by both
CVE-2016-2403 and CVE-2016-4423, I'll try to prepare updates to 2.8.6
and 3.0.6 later today.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: This is a digitally signed message part
More information about the pkg-php-pear