Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.4362
symfony security update
19 November 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: symfony
Publisher: Debian
Operating System: Debian GNU/Linux 9
Debian GNU/Linux 10
UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-18889 CVE-2019-18888 CVE-2019-18887
Original Bulletin:
http://www.debian.org/security/2019/dsa-4573
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running symfony check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4573-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 18, 2019 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : symfony
CVE ID : CVE-2019-18887 CVE-2019-18888 CVE-2019-18889
Multiple vulnerabilities have been found in the Symfony PHP framework
which could lead to a timing attack/information leak, argument injection
and code execution via unserialization.
For the oldstable distribution (stretch), these problems have been fixed
in version 2.8.7+dfsg-1.3+deb9u3.
For the stable distribution (buster), these problems have been fixed in
version 3.4.22+dfsg-2+deb10u1.
We recommend that you upgrade your symfony packages.
For the detailed security status of symfony please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/symfony
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl3TFFQACgkQEMKTtsN8
TjbEshAAh2IMq7UliNw+lXUEvxZ6Me3f29jdI9qco8nwoEXcVI99NK9wbJQnHG3j
0r8d4DsonNxTrTcCfEH8u24QZwWBiJmsuPIcIq7oiYyaN34W+Q/Wh+Xx+GwLN9ij
bWIdGiFi786MJIyLTLipXUCHNfqi4XDXY76WJqVhCSZru39tff5ah9KMeLB/5VuZ
x2pfAdRAom4zxMiNwYlR2qELDTAbEUvtAIuQH4HGtZeApVDYRsyaa0l6f0nSeo7U
nuRCUG9syoFxgmz6x3+OkTCMZ83tCxcB7s1NA9jNk3+NhA+RkHkhFKRkCJAHTJzV
8EngG9HxNJZydPMXilzzWTqofAxpHHVmshrixukIof5Vjskxbx7DeWc6YruE+DBV
5/8iSZkO2pjGJUYNMiZAfZoppjAWSG7e1Hn3dNZTREFnWL3BwOzZz5fxynS96o5u
Y1VBnFwBKt/QT5FybvXVznvupfAZDow5ss9XcKwax40odFtVTK1jeQVu9em65dlB
9erPpVsTxT+l36Zlmd9ia7WRCp0Pmx+B+dLa6jmr6aQrbB2ZoelFMBiDeLEgd2Mj
EUmmatF8pE0v5O8+7yJG/MEB2DkQt0L+k0Vru8AG7Iy03TPlhKK9V0Zh9wiAHfYi
dBwhJ1oeJUOWlHTTe2Mm3Qr8cpoePvWVPdNfC5N3cpRHu8gTcVc=
=Rzxs
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXdNEA2aOgq3Tt24GAQiE6hAA0312YPuPi5FqP5PuT3kk8jx1beHZNxFI
YVLprTRNO5fXyLhiK2SDaI+xf6AHobMuQ4c05kkLyRHKZX0RPXyPLikNMG8HcqDi
rC5lKUqKpfQwZzeACVSV4UmB/sPBQK0JGhrMn1aJnpHkIzIzKmJNo6VfdPtAkbSF
/qY/Oqwd+kgVEzsQPK+wqeEly3/lIhv0w3u0lwd14On9C7/6ifgzXdUZBjAYbuIY
rGEKbJaanQKXEwXYIo9wvk4VHTPzaU0Py4waxM7/X5o3r6SHm7rl8V3xww8VLlHK
dwa6N4STy3dtz+1RR2awKMTPWSB2xKva0TDgPtCL9lqdMZdZiYrJs1xpSCppq9WE
hRz5tRNTAgiwucBAYrRYDjdCPp2AbeiwcTdqwzGbxhYRbai0Jt9fntjVJVrXdBvM
A7UuzvrzMZ2C1gtCgl8Qqpy4TkGR/8AUekXFCqySaRiLsH12kBIYBDMdg3opy2r1
ctTRoaMNThSQYe1hKzvrmSHkTgksk+Sc5pWgxY2o45z5JzHSVu1LBrxPuBORdT0/
QTmARiyUMxK8l75fB+jpzPPu+ZMtg5oscl9ColYkCZDSsUbSHRdkly2TEeTU2mmt
Mj1H+StxP3UCRfKQJAJ9NAqWVh2GCElzJcLgaf8Rxd+N0CHc/XEWCqAOqZNDFTo1
jPlVTXD+4F8=
=RJuB
-----END PGP SIGNATURE-----