Debian Bug report logs -
#1055775
symfony: CVE-2023-46733
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 11 Nov 2023 07:57:07 UTC
Severity: important
Tags: pending, security, upstream
Found in versions symfony/5.4.23+dfsg-1, symfony/5.4.29+dfsg-1, symfony/5.4.30+dfsg-1
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
:
Bug#1055775
; Package src:symfony
.
(Sat, 11 Nov 2023 07:57:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
.
(Sat, 11 Nov 2023 07:57:09 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: symfony
Version: 5.4.30+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 5.4.29+dfsg-1
Control: found -1 5.4.23+dfsg-1
Hi,
The following vulnerability was published for symfony.
CVE-2023-46733[0]:
| Symfony is a PHP framework for web and console applications and a
| set of reusable PHP components. Starting in versions 5.4.21 and
| 6.2.7 and prior to versions 5.4.31 and 6.3.8,
| `SessionStrategyListener` does not migrate the session after every
| successful login. It does so only in case the logged in user changes
| by means of checking the user identifier. In some use cases, the
| user identifier doesn't change between the verification phase and
| the successful login, while the token itself changes from one type
| (partially-authenticated) to another (fully-authenticated). When
| this happens, the session id should be regenerated to prevent
| possible session fixations, which is not the case at the moment. As
| of versions 5.4.31 and 6.3.8, Symfony now checks the type of the
| token in addition to the user identifier before deciding whether the
| session id should be regenerated.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-46733
https://www.cve.org/CVERecord?id=CVE-2023-46733
[1] https://github.com/symfony/symfony/security/advisories/GHSA-m2wj-r6g3-fxfx
[2] https://github.com/symfony/symfony/commit/dc356499d5ceb86f7cf2b4c7f032eca97061ed74
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.5.0-4-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Marked as found in versions symfony/5.4.29+dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Sat, 11 Nov 2023 07:57:09 GMT) (full text, mbox, link).
Marked as found in versions symfony/5.4.23+dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Sat, 11 Nov 2023 07:57:10 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from David Prévot <taffit@debian.org>
to control@bugs.debian.org
.
(Sat, 11 Nov 2023 17:33:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Nov 11 17:55:41 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.