oss-sec mailing list archives
Re: CVE Request -- Symfony / php-symfony-symfony: Session fixation flaw corrected in upstream 1.4.18 version
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 05 Jun 2012 00:22:08 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/04/2012 12:39 PM, Kurt Seifried wrote:
On 06/04/2012 02:26 AM, Jan Lieskovsky wrote:Hello Kurt, Steve, vendors,a session fixation flaw was found in the way Symfony, an open-source PHP web applications development framework, performed removal of user credential, adding several user credentials at once and 'user authenticated' settings change by regenerating session ID. A remote attacker could provide a specially-crafted URL, that when visited by a valid Symfony application user (victim) could lead to unauthorized access to the victim's user account.References: [1] https://bugs.gentoo.org/show_bug.cgi?id=418427 [2] http://symfony.com/blog/security-release-symfony-1-4-18-released [3] http://trac.symfony-project.org/browser/tags/RELEASE_1_4_18/CHANGELOGUpstream patch: [4] http://trac.symfony-project.org/changeset/33466?format=diff&new=33466Could you allocate a CVE id for this? (afaics there hasn't been requested one for this issue yet during last month / from the start of June 2012)Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response TeamPlease use CVE-2011-4964 for this issue.
Argh I was not paying attention and assigned the wrong year. Please REJECT CVE-2011-4964 and use CVE-2012-2667 instead. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPzaWQAAoJEBYNRVNeJnmTMDcP/2hbtd1AoA+mDHT6Hdtf42Ox /i8LUoRhWMRwJpRtO5OqF4XXkJfTFqSLi7qpiTopKwlWU8Yzeji0w+sfVUpThpd1 04RCHGdMwLagbN9vhjK3Dh4xpygQrCJfWBcnRs5woLuoFKW3NjDGy8Jmb2Kmdane UXPTuOx8Bj42X9aIQ+iMqhSqqSLcKJ2ck9AyFkIMolbmkoUcF82b3QzS86LpugdU SbU37Ka2Zmk/UrG8zxsRzyiO55LGw9OoHXyssl8JbXmXXeB4XCRRkcYnjrEhQ/JD Nc03OGxURqVZcRj2fqDOcthFn84ZFlLmG4LP7Kz4ug0iG/80RwngQ48chcQK3fN6 98BSq2KsWSarApHaDHgAtERdqmHAzA+WwBO6AbdovxX68HsBceoF6bHVGd0ngBuc sBkzkpvwmBdPWxJiYBf7j6kqffahcfoLhEaHfRDSUvhffJHAP6RTah6hpiH0s9ne 9R5yIwnmSGIjylQnXamSm9Dv3gvNGwAvZ3IN9vD9pA3MVLXOdI5/PlO81dty36L2 mO9hDVOw+vs2x2tB1oHsa3cWdq6G0N6/M7I5ehM7uytqyKldnuV9+oEt9o6JLy3A ubf/Vr++P8e2mzu/vVlMLCwYfMNBHkLlL2V2qAeecie0zp9h5chRWRf5UuwFuAPa HBX2duLeFeaiZdcyO0zG =b1WB -----END PGP SIGNATURE-----
Current thread:
- CVE Request -- Symfony / php-symfony-symfony: Session fixation flaw corrected in upstream 1.4.18 version Jan Lieskovsky (Jun 04)
- Re: CVE Request -- Symfony / php-symfony-symfony: Session fixation flaw corrected in upstream 1.4.18 version Kurt Seifried (Jun 04)
- Re: CVE Request -- Symfony / php-symfony-symfony: Session fixation flaw corrected in upstream 1.4.18 version Kurt Seifried (Jun 04)
- Re: CVE Request -- Symfony / php-symfony-symfony: Session fixation flaw corrected in upstream 1.4.18 version Kurt Seifried (Jun 04)