Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4362 symfony security update 19 November 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: symfony Publisher: Debian Operating System: Debian GNU/Linux 9 Debian GNU/Linux 10 UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-18889 CVE-2019-18888 CVE-2019-18887 Original Bulletin: http://www.debian.org/security/2019/dsa-4573 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running symfony check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4573-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 18, 2019 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : symfony CVE ID : CVE-2019-18887 CVE-2019-18888 CVE-2019-18889 Multiple vulnerabilities have been found in the Symfony PHP framework which could lead to a timing attack/information leak, argument injection and code execution via unserialization. For the oldstable distribution (stretch), these problems have been fixed in version 2.8.7+dfsg-1.3+deb9u3. For the stable distribution (buster), these problems have been fixed in version 3.4.22+dfsg-2+deb10u1. We recommend that you upgrade your symfony packages. For the detailed security status of symfony please refer to its security tracker page at: https://security-tracker.debian.org/tracker/symfony Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl3TFFQACgkQEMKTtsN8 TjbEshAAh2IMq7UliNw+lXUEvxZ6Me3f29jdI9qco8nwoEXcVI99NK9wbJQnHG3j 0r8d4DsonNxTrTcCfEH8u24QZwWBiJmsuPIcIq7oiYyaN34W+Q/Wh+Xx+GwLN9ij bWIdGiFi786MJIyLTLipXUCHNfqi4XDXY76WJqVhCSZru39tff5ah9KMeLB/5VuZ x2pfAdRAom4zxMiNwYlR2qELDTAbEUvtAIuQH4HGtZeApVDYRsyaa0l6f0nSeo7U nuRCUG9syoFxgmz6x3+OkTCMZ83tCxcB7s1NA9jNk3+NhA+RkHkhFKRkCJAHTJzV 8EngG9HxNJZydPMXilzzWTqofAxpHHVmshrixukIof5Vjskxbx7DeWc6YruE+DBV 5/8iSZkO2pjGJUYNMiZAfZoppjAWSG7e1Hn3dNZTREFnWL3BwOzZz5fxynS96o5u Y1VBnFwBKt/QT5FybvXVznvupfAZDow5ss9XcKwax40odFtVTK1jeQVu9em65dlB 9erPpVsTxT+l36Zlmd9ia7WRCp0Pmx+B+dLa6jmr6aQrbB2ZoelFMBiDeLEgd2Mj EUmmatF8pE0v5O8+7yJG/MEB2DkQt0L+k0Vru8AG7Iy03TPlhKK9V0Zh9wiAHfYi dBwhJ1oeJUOWlHTTe2Mm3Qr8cpoePvWVPdNfC5N3cpRHu8gTcVc= =Rzxs - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXdNEA2aOgq3Tt24GAQiE6hAA0312YPuPi5FqP5PuT3kk8jx1beHZNxFI YVLprTRNO5fXyLhiK2SDaI+xf6AHobMuQ4c05kkLyRHKZX0RPXyPLikNMG8HcqDi rC5lKUqKpfQwZzeACVSV4UmB/sPBQK0JGhrMn1aJnpHkIzIzKmJNo6VfdPtAkbSF /qY/Oqwd+kgVEzsQPK+wqeEly3/lIhv0w3u0lwd14On9C7/6ifgzXdUZBjAYbuIY rGEKbJaanQKXEwXYIo9wvk4VHTPzaU0Py4waxM7/X5o3r6SHm7rl8V3xww8VLlHK dwa6N4STy3dtz+1RR2awKMTPWSB2xKva0TDgPtCL9lqdMZdZiYrJs1xpSCppq9WE hRz5tRNTAgiwucBAYrRYDjdCPp2AbeiwcTdqwzGbxhYRbai0Jt9fntjVJVrXdBvM A7UuzvrzMZ2C1gtCgl8Qqpy4TkGR/8AUekXFCqySaRiLsH12kBIYBDMdg3opy2r1 ctTRoaMNThSQYe1hKzvrmSHkTgksk+Sc5pWgxY2o45z5JzHSVu1LBrxPuBORdT0/ QTmARiyUMxK8l75fB+jpzPPu+ZMtg5oscl9ColYkCZDSsUbSHRdkly2TEeTU2mmt Mj1H+StxP3UCRfKQJAJ9NAqWVh2GCElzJcLgaf8Rxd+N0CHc/XEWCqAOqZNDFTo1 jPlVTXD+4F8= =RJuB -----END PGP SIGNATURE-----