-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0748
                   [DLA 1707-1] symfony security update
                               11 March 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           symfony
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Access Privileged Data         -- Remote/Unauthenticated      
                   Provide Misleading Information -- Remote with User Interaction
                   Unauthorised Access            -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-19790 CVE-2018-19789 CVE-2018-14773
                   CVE-2018-11408 CVE-2018-11385 CVE-2017-16654
                   CVE-2017-16652  

Reference:         ESB-2018.2257

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- --6lpwzjqu2ej2jcqi
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package        : symfony
Version        : 2.3.21+dfsg-4+deb8u4
CVE ID         : CVE-2017-16652 CVE-2017-16654 CVE-2018-11385 CVE-2018-11408
                 CVE-2018-14773 CVE-2018-19789 CVE-2018-19790


Several security vulnerabilities have been discovered in symfony, a PHP
web application framework.  Numerous symfony components are affected:
Security, bundle readers, session handling, SecurityBundle,
HttpFoundation, Form, and Security\Http.

The corresponding upstream advisories contain further details:

[CVE-2017-16652]
https://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on-secu=
rity-handlers

[CVE-2017-16654]
https://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of=
- -paths

[CVE-2018-11385]
https://symfony.com/blog/cve-2018-11385-session-fixation-issue-for-guard-au=
thentication

[CVE-2018-11408]
https://symfony.com/blog/cve-2018-11408-open-redirect-vulnerability-on-secu=
rity-handlers

[CVE-2018-14773]
https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky=
- -http-headers

[CVE-2018-19789]
https://symfony.com/blog/cve-2018-19789-disclosure-of-uploaded-files-full-p=
ath

[CVE-2018-19790]
https://symfony.com/blog/cve-2018-19790-open-redirect-vulnerability-when-us=
ing-security-http

For Debian 8 "Jessie", these problems have been fixed in version
2.3.21+dfsg-4+deb8u4.

We recommend that you upgrade your symfony packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- --6lpwzjqu2ej2jcqi
Content-Type: application/pgp-signature; name="signature.asc"

- -----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAlyEZg4ACgkQLNd4Xt2n
sg/QAQ//SO6ssUPHzPfqm1rDwwf2lG15YNkWYWPjGYv6KplvZx+hI92E22P7Fm4J
77sj3SuaRFONKJHPzvbf+sXmy/SDc3Z4apN3/09MJ5bT1dSuGMvhJYd96pq9Zd41
vs56IZnwt7imQdn76kQc20UcODUIOupiAyuHAIpxFqMjJDtDgTzMLvACO9uIDDBN
OnL8hd/knAevibOD78F6gpNKH6M7f9vpLTVt4Ub+L7hFREZRvSwf1CdLp+5LRiIG
IMkaKC4+PJi+8LdMOfHJBZq7y1uZ8FAASRLqs9Czcsd7de0pqFe23qj2tBHO0OkG
QGZ3tohHKVAt+DLKP97tn8TPOYU93PZSnKS8gL+P9laDNAc4TYKRTFbFHZRhc6zZ
EIAyjWNOlMNq+856sokANegcozwJqi58JYptfiONQQNAYrljYZjAJFlpzfAopd6O
2b3JOpnQnqqNz3X8UcetNTI0EyafxqoN/UJ+LoxrMiSuSJhahDv29h9uShDBY0j9
ORDnsD7CzbTDN/ev7uocLe2kZSUgwCQooYWccx+lh3KeSI8D+MCPzWn/KENgZsxJ
CLMSmhWXvHC7dNCgnuLIPSN5bDVLAZ3ogzrldSDoURu+VvMY5Om969/jo7x8/kXK
MT9EpIXIxlBpy3LZiQ+ID2n5ux6NMbXAWEXaas5NqcsqE/97WaU=
=nvm+
- -----END PGP SIGNATURE-----

- --6lpwzjqu2ej2jcqi--

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXIXfTGaOgq3Tt24GAQhFZBAAqKJwTJQogjUR1q6uz9nDY+S0omah3OXl
3S7SLs0mw8vkmyReBkL1yVnvruN4iwQ6AwY3MD4Cll9nNBTlWmekGLNHnTxZA/S5
dxZB8QXg1jVFFxeXElWX1F/AmRGSpQwkWYkXr1VZNt/OAQQK9JE71mGkBSVo+vDM
dYOWwfIFxhT+6v4Udmx6M4QXZCN1TcUY2Q/+PuMsmSZSt3MfZsmIjOlPt9Ddfxwl
jrhPIGAUGTnpVflbM9PM8303QNCyx2BM/v/6vyrTIaljnENeOPHRdryOsDtyQdEZ
g46CivZGUwmR6W0HVRt9wfnsSx2yVT56i7hUegOPiniWPs2xOnNFJ7hDfnyYOCiT
3t5YFM3utUjNdV67nXAOfPK4VsTk39jMgHfjIgwe3djzmNT6QGU8+ZzN7TYFCBXT
nNX5+JpLzVrQwnaLTa0np4i5syHSHvb4tAryl0U7dZJRJXXBrQf7iO7JCgjk8WYJ
pkhuSXl+5/BUs6ky8sZ3dIyC6Z9H96MgpOXp0wWZtDo0rSS+jtEx6KEFc8UnBKpL
Isufib/0IkzBjxTgkps3Utx/MwE9pz4GBG23VkrgWDNsu5QwfIs1BW/J8JTAccsG
PqklzBqp2HkVpWQjIHuLn3rnCCInzTCDl67JYCcETsAzVV2aSgT5nEPj5KGHgIR6
9YT2lLWJk90=
=A7lT
-----END PGP SIGNATURE-----