-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 11 Jul 2023 01:15:17 +0200 Source: symfony Architecture: source Version: 3.4.22+dfsg-2+deb10u2 Distribution: buster-security Urgency: high Maintainer: Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org> Changed-By: Guilhem Moulin <guilhem@debian.org> Changes: symfony (3.4.22+dfsg-2+deb10u2) buster-security; urgency=high . * Non-maintainer upload by the LTS Security Team. * Fix CVE-2021-21424: The ability to enumerate users was possible without relevant permissions due to different exception messages depending on whether the user existed or not. It was also possible to enumerate users by using a timing attack, by comparing time elapsed when authenticating an existing user and authenticating a non-existing user. 403s are now returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. * Fix CVE-2022-24894: The Symfony HTTP cache system acts as a reverse proxy: it caches HTTP responses (including headers) and returns them to clients. In a recent `AbstractSessionListener` change, the response might now contain a `Set-Cookie header`. If the Symfony HTTP cache system is enabled, this header might be stored and returned to some other clients. An attacker can use this vulnerability to retrieve the victim's session. The `HttpStore` constructor now takes a parameter containing a list of private headers (by default `Set-Cookie`) that are removed from the HTTP response headers. * Fix CVE-2022-24895: When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. CSRF tokens were not cleared upon login, which could enable same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. Checksums-Sha1: e2c26132677a91e207033f9f0d5c752d63489239 6902 symfony_3.4.22+dfsg-2+deb10u2.dsc 832d2ce7cc382f89f145732fb81e09fe85e18a52 54984 symfony_3.4.22+dfsg-2+deb10u2.debian.tar.xz c08ee8f9f1414bc64842a93c1bd2497aa1c6e709 29712 symfony_3.4.22+dfsg-2+deb10u2_amd64.buildinfo Checksums-Sha256: f54bfe1a9d761249b57539260b2b47661bce66a97e5b9ee7be4b72cabfde27fa 6902 symfony_3.4.22+dfsg-2+deb10u2.dsc 0614de7f433afc4b4a23c5ce8b4dc30e331db51b7eca66d4c95f4e12bf31410d 54984 symfony_3.4.22+dfsg-2+deb10u2.debian.tar.xz d3a823a7b6e3c0d17fe00693f6bef7d00099652c0b44fd360a6ddcb4a271a2f8 29712 symfony_3.4.22+dfsg-2+deb10u2_amd64.buildinfo Files: 4f5353330600fd09bae91113398172c3 6902 php optional symfony_3.4.22+dfsg-2+deb10u2.dsc 9f78f3aef698fb88f26d5022731d7407 54984 php optional symfony_3.4.22+dfsg-2+deb10u2.debian.tar.xz 3d784991d4c7206318156f655d3b5508 29712 php optional symfony_3.4.22+dfsg-2+deb10u2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmSskbUACgkQ05pJnDwh pVK7xw/+NdRcVOKzIS2jkJgg8zdelbgb6I8qCXtTnI0ab6Eg+25u53nwpf7DJXph vhBylszuZuP+Z5lfm+84GErVVkFBH8PZtmHi9PrTlkLJOYSofyg8hLh9eAYDDj5E xKlmp33mB8KTEL1HYq9pGWZDy7En8kIi2RVu+vpX7gNvXvHmZn7go2H3m7m+vfd6 FiY6ylmazMTT3N4leCbPU8FFSlR46u/3SifS8pbxJE6zK/Btc5XoWmGVCSSdrwkR SplmFbkuin8d4lCyLoDV0/ZyssSCPLMtaFoQsDGXgDjwfHlHspGfShmPRgWgPvce tlq4D63AMd/iqR993qPiR7geBqfrGs+STxx+cdP3sELxdb0P57JpssD5lT0d51dt PJyhTJ+ETPAJDRXaFjywG1/FnN1snD+lhrvyHaOrSkE/E+Y9hMp/i2JeGtzcpf5n rFpbFrE1kR3saMh3ylFmS3+n26vPAuk97SEgN5Hdj4KTXgoFB525blAKSJiaCQvu NeGTsUj1r7sI429/A8zoxmJM0eDmuDUdE2nKPjmGkAkySDWvZWhTGI50e5uFxd92 PiI6WT7MTysZ1+7ZuE2VxA6ut53DqsDDT0dzt25O9s2Hsd3zqf+IiBQzLiiVToxH 65jgnJowpw95a6DDxlen+ZybTNrPh9u+Ny9GByRCFg5xkonp8o8= =x4W6 -----END PGP SIGNATURE-----