[SECURITY] [DSA 4441-1] symfony security update

2019-05-1006:26:19

lists.debian.org

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON

Debian Security Advisory DSA-4441-1 [email protected]
https://www.debian.org/security/ Sebastien Delafond
May 10, 2019 https://www.debian.org/security/faq

Package : symfony
CVE ID : CVE-2018-14773 CVE-2018-19789 CVE-2018-19790 CVE-2019-10909
CVE-2019-10910 CVE-2019-10911 CVE-2019-10912 CVE-2019-10913

Multiple vulnerabilities were discovered in the Symfony PHP framework
which could lead to cache bypass, authentication bypass, information
disclosure, open redirect, cross-site request forgery, deletion of
arbitrary files, or arbitrary code execution.

For the stable distribution (stretch), these problems have been fixed in
version 2.8.7+dfsg-1.3+deb9u2.

We recommend that you upgrade your symfony packages.

For the detailed security status of symfony please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/symfony

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian9allphp-symfony-http-kernel< 2.8.7+dfsg-1.3+deb9u2php-symfony-http-kernel_2.8.7+dfsg-1.3+deb9u2_all.deb
Debian8allphp-symfony-css-selector< 2.3.21+dfsg-4+deb8u4php-symfony-css-selector_2.3.21+dfsg-4+deb8u4_all.deb
Debian8allphp-symfony-security< 2.3.21+dfsg-4+deb8u4php-symfony-security_2.3.21+dfsg-4+deb8u4_all.deb
Debian8allphp-symfony-swiftmailer-bridge< 2.3.21+dfsg-4+deb8u4php-symfony-swiftmailer-bridge_2.3.21+dfsg-4+deb8u4_all.deb
Debian9allphp-symfony-asset< 2.8.7+dfsg-1.3+deb9u2php-symfony-asset_2.8.7+dfsg-1.3+deb9u2_all.deb
Debian8allphp-symfony-dom-crawler< 2.3.21+dfsg-4+deb8u4php-symfony-dom-crawler_2.3.21+dfsg-4+deb8u4_all.deb
Debian8allphp-symfony-framework-bundle< 2.3.21+dfsg-4+deb8u4php-symfony-framework-bundle_2.3.21+dfsg-4+deb8u4_all.deb
Debian8allphp-symfony-http-foundation< 2.3.21+dfsg-4+deb8u5php-symfony-http-foundation_2.3.21+dfsg-4+deb8u5_all.deb
Debian9allphp-symfony-locale< 2.8.7+dfsg-1.3+deb9u2php-symfony-locale_2.8.7+dfsg-1.3+deb9u2_all.deb
Debian8allphp-symfony-finder< 2.3.21+dfsg-4+deb8u5php-symfony-finder_2.3.21+dfsg-4+deb8u5_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	9	all	php-symfony-http-kernel	< 2.8.7+dfsg-1.3+deb9u2	php-symfony-http-kernel_2.8.7+dfsg-1.3+deb9u2_all.deb
Debian	8	all	php-symfony-css-selector	< 2.3.21+dfsg-4+deb8u4	php-symfony-css-selector_2.3.21+dfsg-4+deb8u4_all.deb
Debian	8	all	php-symfony-security	< 2.3.21+dfsg-4+deb8u4	php-symfony-security_2.3.21+dfsg-4+deb8u4_all.deb
Debian	8	all	php-symfony-swiftmailer-bridge	< 2.3.21+dfsg-4+deb8u4	php-symfony-swiftmailer-bridge_2.3.21+dfsg-4+deb8u4_all.deb
Debian	9	all	php-symfony-asset	< 2.8.7+dfsg-1.3+deb9u2	php-symfony-asset_2.8.7+dfsg-1.3+deb9u2_all.deb
Debian	8	all	php-symfony-dom-crawler	< 2.3.21+dfsg-4+deb8u4	php-symfony-dom-crawler_2.3.21+dfsg-4+deb8u4_all.deb
Debian	8	all	php-symfony-framework-bundle	< 2.3.21+dfsg-4+deb8u4	php-symfony-framework-bundle_2.3.21+dfsg-4+deb8u4_all.deb
Debian	8	all	php-symfony-http-foundation	< 2.3.21+dfsg-4+deb8u5	php-symfony-http-foundation_2.3.21+dfsg-4+deb8u5_all.deb
Debian	9	all	php-symfony-locale	< 2.8.7+dfsg-1.3+deb9u2	php-symfony-locale_2.8.7+dfsg-1.3+deb9u2_all.deb
Debian	8	all	php-symfony-finder	< 2.3.21+dfsg-4+deb8u5	php-symfony-finder_2.3.21+dfsg-4+deb8u5_all.deb