Your message dated Sat, 11 Nov 2023 18:21:36 +0000
with message-id <[email protected]>
and subject line Bug#1055774: fixed in symfony 5.4.31+dfsg-1
has caused the Debian Bug report #1055774,
regarding symfony: CVE-2023-46734
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1055774: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055774
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: symfony
Version: 5.4.30+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 5.4.29+dfsg-1
Control: found -1 5.4.23+dfsg-1
Control: found -1 4.4.19+dfsg-2+deb11u3
Control: found -1 4.4.19+dfsg-2
Control: found -1 3.4.22+dfsg-2+deb10u2
Control: found -1 3.4.22+dfsg-2
Hi,
The following vulnerability was published for symfony.
CVE-2023-46734[0]:
| Symfony is a PHP framework for web and console applications and a
| set of reusable PHP components. Starting in versions 2.0.0, 5.0.0,
| and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig
| filters in CodeExtension use `is_safe=html` but don't actually
| ensure their input is safe. As of versions 4.4.51, 5.4.31, and
| 6.3.8, Symfony now escapes the output of the affected filters.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-46734
https://www.cve.org/CVERecord?id=CVE-2023-46734
[1] https://github.com/symfony/symfony/security/advisories/GHSA-q847-2q57-wmr3
[2]
https://github.com/symfony/symfony/commit/9da9a145ce57e4585031ad4bee37c497353eec7c
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: symfony
Source-Version: 5.4.31+dfsg-1
Done: David Prévot <[email protected]>
We believe that the bug you reported is fixed in the latest version of
symfony, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Prévot <[email protected]> (supplier of updated symfony package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 11 Nov 2023 18:34:50 +0100
Source: symfony
Architecture: source
Version: 5.4.31+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <[email protected]>
Changed-By: David Prévot <[email protected]>
Closes: 1055774 1055775
Changes:
symfony (5.4.31+dfsg-1) unstable; urgency=medium
.
[ Fabien Potencier ]
* Update VERSION for 5.4.31
.
[ Nicolas Grekas ]
* [TwigBridge] Ensure CodeExtension's filters properly escape their input
[CVE-2023-46734] (Closes: #1055774)
.
[ Robert ]
* [Security] Fix possible session fixation when only the *token* changes
[CVE-2023-46733] (Closes: #1055775)
Checksums-Sha1:
5a9f50b910ac330f44d30af824d4d5ae504b660b 13230 symfony_5.4.31+dfsg-1.dsc
f4b225017815228729571d2051e60454d65d8737 5022568
symfony_5.4.31+dfsg.orig.tar.xz
512ee7394702c198c9ab4bed63dd8b5249856692 59176
symfony_5.4.31+dfsg-1.debian.tar.xz
42714723e1097be513f8a6bcff7ef7792816922a 53828
symfony_5.4.31+dfsg-1_amd64.buildinfo
Checksums-Sha256:
80913fb2b8f04cf37d5968ac2b95afecd18769ab83e0a905ba1d9cd5822888c8 13230
symfony_5.4.31+dfsg-1.dsc
99fa997fcc3ff31fb9d023144baa19a41edf266a8f0042deabfda1c6ad70b7c2 5022568
symfony_5.4.31+dfsg.orig.tar.xz
448c8cffbca665073bbe8a1cc50ea185c2dce8966e8adc1e5edce29a1cfd5250 59176
symfony_5.4.31+dfsg-1.debian.tar.xz
04f49a2229bb6969fa3849bcbaae67119e5a06e6d35b7fbde80ee55f372a05a3 53828
symfony_5.4.31+dfsg-1_amd64.buildinfo
Files:
a3a67bb8f7c9a6647584a7a4d883d3b2 13230 php optional symfony_5.4.31+dfsg-1.dsc
4012f921f5506bae7a06b3dfe494070b 5022568 php optional
symfony_5.4.31+dfsg.orig.tar.xz
eed08c612db6817d814c48a781990ef6 59176 php optional
symfony_5.4.31+dfsg-1.debian.tar.xz
3aa2e8acc4782400a1e11685a187afb4 53828 php optional
symfony_5.4.31+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFGBAEBCAAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmVPwgcSHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r080s8H/AlpAf77Se5X8A+5PSegzQV3sjiZRJ94
qpQORn+P2S1fDQwhZ97M0Y5t7TPEutVAuU5CvPdXr7hG2QaxsjjP9mfZl+yDmY1x
78Wd/081rUxGFI8o4Ro9DrwHC4q7xrQ948CiayRyhbt7BUn+MIiGFUe5nphhAQJE
wcrvZvjD8HcIHbBQXRZjxtUHAbrMVSglH1NWNg+bH5C3l59fyodgNfDPVt/v0BZk
7W7xuRwYiiev+VoPOEWXCrX+IW85pV7ZaegmnHpXtXSec1hgvaEQQFsVLlp03QjB
zTq/axjpJgovMqDMC+Uckx9j+zpNvaCbTTUU712PfZZkWzzwoBv9vWY=
=+8Uy
-----END PGP SIGNATURE-----
--- End Message ---
