[SECURITY] [DLA 1707-1] symfony security update
Package: symfony Version: 2.3.21+dfsg-4+deb8u4 CVE ID : CVE-2017-16652 CVE-2017-16654 CVE-2018-11385 CVE-2018-11408 CVE-2018-14773 CVE-2018-19789 CVE-2018-19790 Several security vulnerabilities have been discovered in symfony, a PHP web application framework. Numerous symfony components are affected: Security, bundle readers, session handling, SecurityBundle, HttpFoundation, Form, and Security\Http. The corresponding upstream advisories contain further details: [CVE-2017-16652] https://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on-security-handlers [CVE-2017-16654] https://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths [CVE-2018-11385] https://symfony.com/blog/cve-2018-11385-session-fixation-issue-for-guard-authentication [CVE-2018-11408] https://symfony.com/blog/cve-2018-11408-open-redirect-vulnerability-on-security-handlers [CVE-2018-14773] https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers [CVE-2018-19789] https://symfony.com/blog/cve-2018-19789-disclosure-of-uploaded-files-full-path [CVE-2018-19790] https://symfony.com/blog/cve-2018-19790-open-redirect-vulnerability-when-using-security-http For Debian 8 "Jessie", these problems have been fixed in version 2.3.21+dfsg-4+deb8u4. We recommend that you upgrade your symfony packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Accepted symfony 2.3.21+dfsg-4+deb8u4 (source all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 01 Mar 2019 09:20:42 -0500 Source: symfony Binary: php-symfony-browser-kit php-symfony-class-loader php-symfony-classloader php-symfony-config php-symfony-console php-symfony-css-selector php-symfony-debug php-symfony-dependency-injection php-symfony-dom-crawler php-symfony-event-dispatcher php-symfony-eventdispatcher php-symfony-filesystem php-symfony-finder php-symfony-form php-symfony-http-foundation php-symfony-http-kernel php-symfony-intl php-symfony-locale php-symfony-options-resolver php-symfony-process php-symfony-property-access php-symfony-routing php-symfony-security php-symfony-serializer php-symfony-stopwatch php-symfony-templating php-symfony-translation php-symfony-validator php-symfony-yaml php-symfony-doctrine-bridge php-symfony-monolog-bridge php-symfony-propel1-bridge php-symfony-proxy-manager-bridge php-symfony-swiftmailer-bridge php-symfony-twig-bridge php-symfony-framework-bundle php-symfony-security-bundle php-symfony-twig-bundle php-symfony-web-profiler-bundle Architecture: source all Version: 2.3.21+dfsg-4+deb8u4 Distribution: jessie-security Urgency: high Maintainer: Debian PHP PEAR Maintainers Changed-By: Roberto C. Sanchez Description: php-symfony-browser-kit - simulate the behavior of a web browser php-symfony-class-loader - load PHP classes automatically php-symfony-classloader - transitional dummy package php-symfony-config - load configurations from different data sources php-symfony-console - run tasks from the command line php-symfony-css-selector - convert CSS selectors to XPath expressions php-symfony-debug - tools to make debugging of PHP code easier php-symfony-dependency-injection - standardize and centralize construction of objects php-symfony-doctrine-bridge - integration for Doctrine with Symfony Components php-symfony-dom-crawler - ease DOM navigation for HTML and XML documents php-symfony-event-dispatcher - dispatch events and listen to them php-symfony-eventdispatcher - transitional dummy package php-symfony-filesystem - basic filesystem utilities php-symfony-finder - find files and directories php-symfony-form - create HTML forms and process request data php-symfony-framework-bundle - basic, robust and flexible MVC framework php-symfony-http-foundation - object-oriented layer for the HTTP specification php-symfony-http-kernel - building blocks for flexible and fast HTTP-based frameworks php-symfony-intl - limited replacement layer for the PHP extension intl php-symfony-locale - deprecated replacement layer for the PHP extension intl php-symfony-monolog-bridge - integration for Monolog with Symfony Components php-symfony-options-resolver - configure objects with option arrays php-symfony-process - execute commands in sub-processes php-symfony-propel1-bridge - integration for Propel with Symfony Components php-symfony-property-access - read from and write to an object or array php-symfony-proxy-manager-bridge - integration for ProxyManager with Symfony Components php-symfony-routing - associate a request with code that generates a response php-symfony-security - infrastructure for sophisticated authorization systems php-symfony-security-bundle - configurable security system for the Symfony framework php-symfony-serializer - convert PHP objects into specific formats and vice versa php-symfony-stopwatch - profile PHP code php-symfony-swiftmailer-bridge - integration for Swift Mailer with Symfony Components php-symfony-templating - tools needed to build a template system php-symfony-translation - tools to internationalize an application php-symfony-twig-bridge - integration for Twig with Symfony Components php-symfony-twig-bundle - configurable integration of Twig with the Symfony framework php-symfony-validator - tools to validate classes php-symfony-web-profiler-bundle - collect requests information for analysis and debugging php-symfony-yaml - convert YAML to PHP arrays and the other way around Changes: symfony (2.3.21+dfsg-4+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the LTS Team. * Cherry-pick upstream commit to fix unit test regression caused by PHP 5.6.27 (specifically, the fix for PHP bug 72972) * Fix additional unit test failures resulting from dates too far in the past * Cherry-pick upstream commits to fix security issues + Fix CVE-2017-16652: [Security] Validate redirect targets using the session cookie domain + Fix CVE-2017-16654: prevent bundle readers from breaking out of paths + Fix CVE-2018-11385: Adding session strategy to ALL listeners to avoid *any* possible fixation + Fix CVE-2018-11408: [SecurityBundle] Fail if security.http_utils cannot be configured + Fix CVE-2018-14773: [HttpFoundation] Remove support for legacy and risky HTTP headers + Fix CVE-2018-19789: [Form] Filter file uploads out of regular form types
Re: Bug#924060: systemd: Memory leak introduced with CVE-2018-16864 fix
Control: notfound -1 232-25+deb9u9 Control: notfound -1 241-1 Hi Will Am 09.03.19 um 00:14 schrieb Will Roberts: > Package: systemd > Version: 215-17+deb8u10 > Severity: important > Tags: patch > > Dear Maintainer, > > The fix for CVE-2018-16864 contains a memory leak that was fixed for > newer distributions of Debian, but not old-stable. I believe this commit > contains > the changes that need to be applied: > > https://salsa.debian.org/systemd-team/systemd/commit/d9c31850e7bfbb537c7fdc81ad9a9fc96a1fd33e old-stable uploads are generally handled by the LTS team (who also made this particular upload). Bringing them into the loop here. stable and testing/unstable are not affected afaics, so marking accordingly Regards, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Re: Debian/LTS newbie question
Amend (self-answer): Answers to some of my questions are found in https://debian-handbook.info/browse/stable/sect.release-lifecycle.html#id-1.4.9.15 (section "Lifecycle of a Release")
Re: Debian/LTS newbie question
Hi, On 09/03/2019 11:44, th.pitsc...@uni.de wrote: > Hello list members, > > is it correct to assume that in Debian versions entering "obsolete" > state, any "aptitude safe-upgrade" will stop upgrading to newer > packages other than for the reason of security fixes? > > When exactly would also the security related upgrades stop? > > In other words: what are the exact assertions given by the specific > release states "stable", "oldstable", "obsolete" with regards to > packet upgrades? (when the system is left "as is"; i.e. no adjustment > to the /etc/apt/sources.list) > > I searched the general Debian Release info pages, but could not find a > definite answer. Actually "stable" is frozen, and only offers security updates (responsively) and major bug fixes (every few months). When it becomes "oldstable"/"obsolete stable" it gets fewer support over time, see the details and dates at: https://wiki.debian.org/DebianReleases https://wiki.debian.org/LTS https://wiki.debian.org/LTS/Extended Cheers! Sylvain
Debian/LTS newbie question
Hello list members, is it correct to assume that in Debian versions entering "obsolete" state, any "aptitude safe-upgrade" will stop upgrading to newer packages other than for the reason of security fixes? When exactly would also the security related upgrades stop? In other words: what are the exact assertions given by the specific release states "stable", "oldstable", "obsolete" with regards to packet upgrades? (when the system is left "as is"; i.e. no adjustment to the /etc/apt/sources.list) I searched the general Debian Release info pages, but could not find a definite answer. Thanks in advance, Tom
