Source: symfony Version: 5.4.30+dfsg-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 5.4.29+dfsg-1 Control: found -1 5.4.23+dfsg-1
Hi, The following vulnerability was published for symfony. CVE-2023-46733[0]: | Symfony is a PHP framework for web and console applications and a | set of reusable PHP components. Starting in versions 5.4.21 and | 6.2.7 and prior to versions 5.4.31 and 6.3.8, | `SessionStrategyListener` does not migrate the session after every | successful login. It does so only in case the logged in user changes | by means of checking the user identifier. In some use cases, the | user identifier doesn't change between the verification phase and | the successful login, while the token itself changes from one type | (partially-authenticated) to another (fully-authenticated). When | this happens, the session id should be regenerated to prevent | possible session fixations, which is not the case at the moment. As | of versions 5.4.31 and 6.3.8, Symfony now checks the type of the | token in addition to the user identifier before deciding whether the | session id should be regenerated. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-46733 https://www.cve.org/CVERecord?id=CVE-2023-46733 [1] https://github.com/symfony/symfony/security/advisories/GHSA-m2wj-r6g3-fxfx [2] https://github.com/symfony/symfony/commit/dc356499d5ceb86f7cf2b4c7f032eca97061ed74 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- System Information: Debian Release: trixie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.5.0-4-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
