Your message dated Sat, 11 Nov 2023 18:22:26 +0000
with message-id <[email protected]>
and subject line Bug#1055774: fixed in symfony 6.4.0~beta3+dfsg-1
has caused the Debian Bug report #1055774,
regarding symfony: CVE-2023-46734
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1055774: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055774
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: symfony
Version: 5.4.30+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 5.4.29+dfsg-1
Control: found -1 5.4.23+dfsg-1
Control: found -1 4.4.19+dfsg-2+deb11u3
Control: found -1 4.4.19+dfsg-2
Control: found -1 3.4.22+dfsg-2+deb10u2
Control: found -1 3.4.22+dfsg-2
Hi,
The following vulnerability was published for symfony.
CVE-2023-46734[0]:
| Symfony is a PHP framework for web and console applications and a
| set of reusable PHP components. Starting in versions 2.0.0, 5.0.0,
| and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig
| filters in CodeExtension use `is_safe=html` but don't actually
| ensure their input is safe. As of versions 4.4.51, 5.4.31, and
| 6.3.8, Symfony now escapes the output of the affected filters.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-46734
https://www.cve.org/CVERecord?id=CVE-2023-46734
[1] https://github.com/symfony/symfony/security/advisories/GHSA-q847-2q57-wmr3
[2]
https://github.com/symfony/symfony/commit/9da9a145ce57e4585031ad4bee37c497353eec7c
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: symfony
Source-Version: 6.4.0~beta3+dfsg-1
Done: David Prévot <[email protected]>
We believe that the bug you reported is fixed in the latest version of
symfony, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Prévot <[email protected]> (supplier of updated symfony package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 11 Nov 2023 11:24:46 +0100
Source: symfony
Architecture: source
Version: 6.4.0~beta3+dfsg-1
Distribution: experimental
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <[email protected]>
Changed-By: David Prévot <[email protected]>
Closes: 1055774 1055775
Changes:
symfony (6.4.0~beta3+dfsg-1) experimental; urgency=medium
.
[ Fabien Potencier ]
* Update VERSION for 6.4.0-BETA3
.
[ Nicolas Grekas ]
* [Webhook] Remove user-submitted type from HTTP response [CVE-2023-46735]
* [TwigBridge] Ensure CodeExtension's filters properly escape their input
[CVE-2023-46734] (Closes: #1055774)
.
[ Robert ]
* [Security] Fix possible session fixation when only the *token* changes
[CVE-2023-46733] (Closes: #1055775)
Checksums-Sha1:
5042a1fc00ddf77b7a0b0c109a5280e10bc8361c 16637 symfony_6.4.0~beta3+dfsg-1.dsc
dd955a9df869a471a157df9caf91f301c5897fdb 8031336
symfony_6.4.0~beta3+dfsg.orig.tar.xz
93eb4cebf830b8c4531e0b6f46d0ea02bc310d1f 61592
symfony_6.4.0~beta3+dfsg-1.debian.tar.xz
cb2e2dc1d53cb0169650528c9a9d1a085def387c 69798
symfony_6.4.0~beta3+dfsg-1_amd64.buildinfo
Checksums-Sha256:
1ad53f20dca971c190767ed88d7abd6b5f28dc6b0bc8f50981439b337bf89458 16637
symfony_6.4.0~beta3+dfsg-1.dsc
2f460decee68520cc1301d79c09caa86bfc8ac582db58b8a7e893e8b86ebe456 8031336
symfony_6.4.0~beta3+dfsg.orig.tar.xz
7a4f3125e1d365e7e0b55643f530a365f51343f56cfe5289175eef3f207292aa 61592
symfony_6.4.0~beta3+dfsg-1.debian.tar.xz
6a6397467c29e325779f7e71729c511fc4109b56d178d2178830616efde7f368 69798
symfony_6.4.0~beta3+dfsg-1_amd64.buildinfo
Files:
53d9419f8289bfb00d25cab1cbc8ff3a 16637 php optional
symfony_6.4.0~beta3+dfsg-1.dsc
fd350891ef3d37518ca69cab89ff05cf 8031336 php optional
symfony_6.4.0~beta3+dfsg.orig.tar.xz
99a7d640257c98006a6cf8edb61bffa6 61592 php optional
symfony_6.4.0~beta3+dfsg-1.debian.tar.xz
d1f4262940684133a420c89f4b4d9219 69798 php optional
symfony_6.4.0~beta3+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFGBAEBCAAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmVPwgYSHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r08vBUIAJ3MQQymcfLhDeTXK6gJpxT+rpjRwwIn
gi3/e8C4E77u/eZU8C30GRqiLaZ8OjhgJa8RhtvzHC/qV4njXdcK+dJYFFxt62As
CTL8sgl0UfVkGgg7GGx06A8JxDWQ1N+5K0i5kirDrQ3AyuBrt/WvLVGkALbrYezZ
fpyu4xOpFB9ofUg7mUmzq4+VS1ZVWTkGtL/HfkcLB6okHlzM2zEYytmHACVlBoOA
cYFhB/mLNTjxm6ZvHT3W4m7syheViT83YLn5ZW1TcRxsPdizRnpvgh+g0KJQGBBx
TcxNfwv4LKkm0WBO2PVbM1y6VPEW34wz/6+sDiD7FNOr5DNbPZg4KwI=
=Iiz7
-----END PGP SIGNATURE-----
--- End Message ---
