Your message dated Sat, 02 Dec 2023 19:47:16 +0000
with message-id <[email protected]>
and subject line Bug#1055774: fixed in symfony 5.4.23+dfsg-1+deb12u1
has caused the Debian Bug report #1055774,
regarding symfony: CVE-2023-46734
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1055774: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055774
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: symfony
Version: 5.4.30+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 5.4.29+dfsg-1
Control: found -1 5.4.23+dfsg-1
Control: found -1 4.4.19+dfsg-2+deb11u3
Control: found -1 4.4.19+dfsg-2
Control: found -1 3.4.22+dfsg-2+deb10u2
Control: found -1 3.4.22+dfsg-2
Hi,
The following vulnerability was published for symfony.
CVE-2023-46734[0]:
| Symfony is a PHP framework for web and console applications and a
| set of reusable PHP components. Starting in versions 2.0.0, 5.0.0,
| and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig
| filters in CodeExtension use `is_safe=html` but don't actually
| ensure their input is safe. As of versions 4.4.51, 5.4.31, and
| 6.3.8, Symfony now escapes the output of the affected filters.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-46734
https://www.cve.org/CVERecord?id=CVE-2023-46734
[1] https://github.com/symfony/symfony/security/advisories/GHSA-q847-2q57-wmr3
[2]
https://github.com/symfony/symfony/commit/9da9a145ce57e4585031ad4bee37c497353eec7c
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: symfony
Source-Version: 5.4.23+dfsg-1+deb12u1
Done: David Prévot <[email protected]>
We believe that the bug you reported is fixed in the latest version of
symfony, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Prévot <[email protected]> (supplier of updated symfony package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 11 Nov 2023 18:59:39 +0100
Source: symfony
Architecture: source
Version: 5.4.23+dfsg-1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <[email protected]>
Changed-By: David Prévot <[email protected]>
Closes: 1055774 1055775
Changes:
symfony (5.4.23+dfsg-1+deb12u1) bookworm; urgency=medium
.
* debian/gbp.conf: Track bookworm branch
* Backport security fixes from Symfony 5.4.31
- [TwigBridge] Ensure CodeExtension's filters properly escape their input
[CVE-2023-46734] (Closes: #1055774)
- [Security] Fix possible session fixation when only the *token* changes
[CVE-2023-46733] (Closes: #1055775)
Checksums-Sha1:
3289ecd9fa56e1c87080c247627872c4514f9341 13233
symfony_5.4.23+dfsg-1+deb12u1.dsc
be3cfce1e3069c529e089af66362dae3a0d1a11f 59984
symfony_5.4.23+dfsg-1+deb12u1.debian.tar.xz
52474c2692bfb36c05c0657b39e8025818be5525 56754
symfony_5.4.23+dfsg-1+deb12u1_amd64.buildinfo
Checksums-Sha256:
a493a4078d7bc8381b1aa92275819c0dee2aa144ae990e34309bd49f96b53aff 13233
symfony_5.4.23+dfsg-1+deb12u1.dsc
7dd58edf81cd5bbb2aea5d8c007e7a6439d533142de244e284beccb4ba5c43a5 59984
symfony_5.4.23+dfsg-1+deb12u1.debian.tar.xz
c1d6e4da7ea1776575968363ff3d16bb7dd55a96a80181f7025cd07e6e1cda3b 56754
symfony_5.4.23+dfsg-1+deb12u1_amd64.buildinfo
Files:
a11a2c97692549c57ae47da71b56416f 13233 php optional
symfony_5.4.23+dfsg-1+deb12u1.dsc
7e49d345d48d5654ce7e75f7449575bf 59984 php optional
symfony_5.4.23+dfsg-1+deb12u1.debian.tar.xz
7989662e843b0f3243a51b1111dcfe15 56754 php optional
symfony_5.4.23+dfsg-1+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFGBAEBCAAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmVo1FcSHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r08854H/18X3Og+y8J9lzxGrS0S2lN80SSalNz9
4IUVZiJgk9VPhUSBo5elWOqdQFlCzETeRjmW35ewcuWA72AlMonf1TjhOCWcGI4e
nLnCcR/buzbsc6g6fHvoNtUm4zMDCXDNn4HKQJAbFmonRE8onsUvCHviTkvW043M
avobqOKhi2gwW8d2hQXeIz4BQ3BuU2bYpO/YrQu50b+RvwGXzmOcL4wbVAS/qXCP
ij8wpk1zUcAWFM5Wjq0VMTTZOaTxWJoeKowGwpqbd9tqc2nqNKUyD35HFeJGW1ka
6mDVvd/gX2F+/9y8iuC8WGbNDHGuC6fWC6RpV61etl13OoIz0v2GRss=
=a8DZ
-----END PGP SIGNATURE-----
--- End Message ---
