Register | Log in

symfony

Choose email to subscribe with

general

source: symfony (main)
version: 3.4.20+dfsg-1
maintainer: Debian PHP PEAR Maintainers (archive) [DMD]
uploaders: David Prévot [DMD] – Daniel Beyer [DMD]
arch: all
std-ver: 4.2.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 2.3.21+dfsg-4+deb8u3
old-sec: 2.3.21+dfsg-4+deb8u3
stable: 2.8.7+dfsg-1.3+deb9u1
stable-sec: 2.8.7+dfsg-1.3+deb9u1
testing: 3.4.19+dfsg-1
unstable: 3.4.20+dfsg-1

versioned links

2.3.21+dfsg-4+deb8u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.8.7+dfsg-1.3+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.4.19+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.4.20+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

action needed

4 security issues in stretch high

There are 4 open security issues in stretch.

2 important issues:

CVE-2018-19790:
CVE-2018-19789:

2 issues skipped by the security teams:

CVE-2018-14774: An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. When using HttpCache, the values of the X-Forwarded-Host headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection.
CVE-2018-14773: An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects \Symfony\Component\HttpFoundation\Request::prepareRequestUri() where X-Original-URL and X_REWRITE_URL are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning.

Please fix them.

Created: 2018-06-14 Last update: 2018-12-07 08:59

8 security issues in jessie high

There are 8 open security issues in jessie.

8 important issues:

CVE-2018-11408: The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11 have an Open redirect vulnerability when security.http_utils is inlined by a container. NOTE: this issue exists because of an incomplete fix for CVE-2017-16652.
CVE-2018-19789:
CVE-2017-16654: An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The Intl component includes various bundle readers that are used to read resource bundles from the local filesystem. The read() methods of these classes use a path and a locale to determine the language bundle to retrieve. The locale argument value is commonly retrieved from untrusted user input (like a URL parameter). An attacker can use this argument to navigate to arbitrary directories via the dot-dot-slash attack, aka Directory Traversal.
CVE-2017-16652: An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler takes the content of the _target_path parameter and generates a redirect response, but no check is performed on the path, which could be an absolute URL to an external domain. This Open redirect vulnerability can be exploited for example to mount effective phishing attacks.
CVE-2018-14774: An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. When using HttpCache, the values of the X-Forwarded-Host headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection.
CVE-2018-19790:
CVE-2018-11385: An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. A session fixation vulnerability within the "Guard" login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker.
CVE-2018-14773: An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects \Symfony\Component\HttpFoundation\Request::prepareRequestUri() where X-Original-URL and X_REWRITE_URL are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning.

Please fix them.

Created: 2018-06-14 Last update: 2018-12-07 08:59

2 security issues in buster high

There are 2 open security issues in buster.

2 important issues:

CVE-2018-19790:
CVE-2018-19789:

Please fix them.

Created: 2018-12-07 Last update: 2018-12-07 08:59

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2018-10-01 Last update: 2018-12-11 12:04

Fails to build during reproducibility testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2018-08-06 Last update: 2018-12-11 09:33

lintian reports 1 warning normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2018-10-12 Last update: 2018-10-12 08:27

testing migrations

excuses:
- Too young, only 4 of 5 days old
- Piuparts tested OK - https://piuparts.debian.org/sid/source/s/symfony.html
- Not considered

news

[2018-12-07] Accepted symfony 3.4.20+dfsg-1 (source) into unstable (David Prévot)
[2018-12-04] symfony 3.4.19+dfsg-1 MIGRATED to testing (Debian testing watch)
[2018-11-29] Accepted symfony 3.4.19+dfsg-1 (source) into unstable (David Prévot)
[2018-10-09] symfony 3.4.17+dfsg-1 MIGRATED to testing (Debian testing watch)
[2018-10-06] Accepted symfony 3.4.17+dfsg-1 (source all) into unstable (David Prévot)
[2018-10-06] Accepted symfony 3.4.16+dfsg-1 (source) into unstable (David Prévot)
[2018-09-05] symfony 3.4.15+dfsg-2 MIGRATED to testing (Debian testing watch)
[2018-09-01] Accepted symfony 3.4.15+dfsg-2 (source) into unstable (David Prévot)
[2018-09-01] Accepted symfony 3.4.15+dfsg-1 (source) into unstable (David Prévot)
[2018-08-05] symfony 3.4.14+dfsg-1 MIGRATED to testing (Debian testing watch)
[2018-08-04] Accepted symfony 2.8.7+dfsg-1.3+deb9u1 (source) into proposed-updates->stable-new, proposed-updates (David Prévot)
[2018-08-03] Accepted symfony 2.8.7+dfsg-1.3+deb9u1 (source) into stable->embargoed, stable (David Prévot)
[2018-08-03] Accepted symfony 3.4.14+dfsg-1 (source) into unstable (David Prévot)
[2018-07-27] symfony 3.4.13+dfsg-1 MIGRATED to testing (Debian testing watch)
[2018-07-25] Accepted symfony 3.4.13+dfsg-1 (source) into unstable (David Prévot)
[2018-07-22] Accepted symfony 3.4.12+dfsg-1 (source) into unstable (David Prévot)
[2018-03-11] symfony 3.4.6+dfsg-1 MIGRATED to testing (Debian testing watch)
[2018-03-06] Accepted symfony 3.4.6+dfsg-1 (source) into unstable (David Prévot)
[2018-02-25] symfony 3.4.3+dfsg-1 MIGRATED to testing (Debian testing watch)
[2018-01-06] Accepted symfony 3.4.3+dfsg-1 (source) into unstable (David Prévot)
[2017-12-16] Accepted symfony 3.4.2+dfsg-1 (source) into unstable (David Prévot)
[2017-12-06] Accepted symfony 3.4.1+dfsg-1 (source) into unstable (David Prévot)
[2017-12-01] Accepted symfony 3.4.0+dfsg-1 (source) into unstable (David Prévot)
[2017-11-26] Accepted symfony 3.4.0~rc2+dfsg-1 (source) into experimental (David Prévot)
[2017-11-24] Accepted symfony 3.4.0~rc1+dfsg-1 (source) into experimental (David Prévot)
[2017-10-25] Accepted symfony 3.4.0~beta1+dfsg-1 (source all) into experimental, experimental (David Prévot)
[2017-10-16] Accepted symfony 3.3.10+dfsg-1 (source all) into experimental (David Prévot)
[2017-10-16] Accepted symfony 3.3.9+dfsg-1 (source all) into experimental, experimental (David Prévot)
[2017-05-30] symfony 2.8.7+dfsg-1.3 MIGRATED to testing (Debian testing watch)
[2017-05-27] Accepted symfony 2.8.7+dfsg-1.3 (source) into unstable (James Clarke)

1
2

bugs [bug history graph]

all: 4
RC: 0
I&N: 2
M&W: 2
F&P: 0
patch: 1

links

homepage
lintian (0, 1)
buildd: logs, clang, reproducibility
popcon
debci
browse source code
edit tags
security tracker

ubuntu

[Information about Ubuntu for Debian Developers]

version: 3.4.19+dfsg-1ubuntu1
1 bug
patches for 3.4.19+dfsg-1ubuntu1

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing