Re: Request for testing - symfony
Replying to myself here. On Mon, Mar 04, 2019 at 11:22:35PM -0500, Roberto C. Sánchez wrote: > > > This was very helpful. I was convinced that there had to be some way to > get to a working app with just the components in the Debian packages. I > will try to perform some testing and will report back if I still need > additional help. > I was able to perform some very basic testing. It appears that nothing is catastrophically broken. However, I was not able to find reproducers or even sufficiently detailed descriptions to be able to reproduce the vulnerable behavior. However, since all of the fixes appear to be accompanied by unit tests that exercise the specific code that was changed. > That said, if anyone out there is able to test, either positive or > negative reports would be very helpful. > I still intend to upload on Saturday the current package as I have prepared it, unless there are any reports of problems. Regards, -Roberto -- Roberto C. Sánchez
Re: Request for testing - symfony
On Mon, Mar 04, 2019 at 07:07:30PM +0100, Sylvain Beucler wrote: > > I haven't touched Symfony in a while, but I can contribute a few bits: > > - The symfony installer is not packaged in Debian > https://github.com/symfony/symfony-installer > I tried to run an old version from git but couldn't find the appropriate > tag matching symfony 2.3.21 (which the Symfony installers depends on (sic)) > This makes me wonder if the Symfony Framework is used in Debian, or if > only some of its sub-packages are useful. > Alternatively one could use composer which is not in oldstable (composer > create-project symfony/framework-standard-edition > ). > > - The closest I could get to a test environment is: > curl -LsS https://symfony.com/installer -o /usr/local/bin/symfony > apt install php5-mysql > symfony new myproject 2.3.22 # .21 N/A - we'll ditch this one anyway > cd myproject/ > mv vendor/symfony/symfony/src/Symfony vendor/symfony/symfony/src/Symfony.bak > ln -s /usr/share/php/Symfony vendor/symfony/symfony/src/ > # edit IP in web/app_dev.php > rm -rf app/bootstrap.php.cache > vendor/sensio/distribution-bundle/Sensio/Bundle/DistributionBundle/Resources/bin/build_bootstrap.php > php app/console server:run 0.0.0.0:8000 > > This gives access to a default application and its web control panel. > > Not sure if you need people to test for regressions or for the security > fix (or both) :) > > Hope this helps, > Sylvain > This was very helpful. I was convinced that there had to be some way to get to a working app with just the components in the Debian packages. I will try to perform some testing and will report back if I still need additional help. That said, if anyone out there is able to test, either positive or negative reports would be very helpful. Regards, -Roberto -- Roberto C. Sánchez
Re: Request for testing - symfony
Hi, On 02/03/2019 18:46, Roberto C. Sánchez wrote: > I have prepared an update to symfony (version 2.3.21+dfsg-4+deb8u4) > which is need of testing. I intend to upload in one week's time if I do > not receive any reports of problems. Read on for details if you are in > a position to help with testing these packages. > > I attempted to test the changes myself (I am familiar with PHP) but it > turns out that Symfony an entirely different sort of matter. In > particular, the Debian package itself contains no documentation about > how to setup even a basic Symfony app and all of the online > documentation is geared toward the upstream preferred installation > method which, among other things requires downloading an installer > script and ends up creating a symfony executable binary. > > In any event, my attempts at testing have so far been unable to overcome > these obstacles and I fear that continuing to try to figure this out for > myself will only result in lots of wasted time and effort. > > To that end, I am requesting that anyone out there using Symfony on > jessie and familiar with it please consider installing this upload > candidate and report any issues encountered. > > Note that upstream has a very robust unit test suite and I made sure to > include any new or updated unit tests with each upstream commit that I > backported. > > The packages may be downloaded here: https://people.debian.org/~roberto/ > > symfony (2.3.21+dfsg-4+deb8u4) jessie-security; urgency=high > > * Non-maintainer upload by the LTS Team. > * Cherry-pick upstream commit to fix unit test regression caused by PHP > 5.6.27 (specifically, the fix for PHP bug 72972) > * Fix additional unit test failures resulting from dates too far in the past > * Cherry-pick upstream commits to fix security issues > + Fix CVE-2017-16652: [Security] Validate redirect targets using the > session cookie domain > + Fix CVE-2017-16654: prevent bundle readers from breaking out of paths > + Fix CVE-2018-11385: Adding session strategy to ALL listeners to avoid > *any* possible fixation > + Fix CVE-2018-11408: [SecurityBundle] Fail if security.http_utils cannot > be configured > + Fix CVE-2018-14773: [HttpFoundation] Remove support for legacy and risky > HTTP headers > + Fix CVE-2018-19789: [Form] Filter file uploads out of regular form types > + Fix CVE-2018-19790: [Security\Http] detect bad redirect targets using > backslashes > > -- Roberto C. Sanchez Fri, 01 Mar 2019 09:20:42 -0500 I haven't touched Symfony in a while, but I can contribute a few bits: - The symfony installer is not packaged in Debian https://github.com/symfony/symfony-installer I tried to run an old version from git but couldn't find the appropriate tag matching symfony 2.3.21 (which the Symfony installers depends on (sic)) This makes me wonder if the Symfony Framework is used in Debian, or if only some of its sub-packages are useful. Alternatively one could use composer which is not in oldstable (composer create-project symfony/framework-standard-edition ). - The closest I could get to a test environment is: curl -LsS https://symfony.com/installer -o /usr/local/bin/symfony apt install php5-mysql symfony new myproject 2.3.22 # .21 N/A - we'll ditch this one anyway cd myproject/ mv vendor/symfony/symfony/src/Symfony vendor/symfony/symfony/src/Symfony.bak ln -s /usr/share/php/Symfony vendor/symfony/symfony/src/ # edit IP in web/app_dev.php rm -rf app/bootstrap.php.cache vendor/sensio/distribution-bundle/Sensio/Bundle/DistributionBundle/Resources/bin/build_bootstrap.php php app/console server:run 0.0.0.0:8000 This gives access to a default application and its web control panel. Not sure if you need people to test for regressions or for the security fix (or both) :) Hope this helps, Sylvain
Request for testing - symfony
I have prepared an update to symfony (version 2.3.21+dfsg-4+deb8u4) which is need of testing. I intend to upload in one week's time if I do not receive any reports of problems. Read on for details if you are in a position to help with testing these packages. I attempted to test the changes myself (I am familiar with PHP) but it turns out that Symfony an entirely different sort of matter. In particular, the Debian package itself contains no documentation about how to setup even a basic Symfony app and all of the online documentation is geared toward the upstream preferred installation method which, among other things requires downloading an installer script and ends up creating a symfony executable binary. In any event, my attempts at testing have so far been unable to overcome these obstacles and I fear that continuing to try to figure this out for myself will only result in lots of wasted time and effort. To that end, I am requesting that anyone out there using Symfony on jessie and familiar with it please consider installing this upload candidate and report any issues encountered. Note that upstream has a very robust unit test suite and I made sure to include any new or updated unit tests with each upstream commit that I backported. The packages may be downloaded here: https://people.debian.org/~roberto/ symfony (2.3.21+dfsg-4+deb8u4) jessie-security; urgency=high * Non-maintainer upload by the LTS Team. * Cherry-pick upstream commit to fix unit test regression caused by PHP 5.6.27 (specifically, the fix for PHP bug 72972) * Fix additional unit test failures resulting from dates too far in the past * Cherry-pick upstream commits to fix security issues + Fix CVE-2017-16652: [Security] Validate redirect targets using the session cookie domain + Fix CVE-2017-16654: prevent bundle readers from breaking out of paths + Fix CVE-2018-11385: Adding session strategy to ALL listeners to avoid *any* possible fixation + Fix CVE-2018-11408: [SecurityBundle] Fail if security.http_utils cannot be configured + Fix CVE-2018-14773: [HttpFoundation] Remove support for legacy and risky HTTP headers + Fix CVE-2018-19789: [Form] Filter file uploads out of regular form types + Fix CVE-2018-19790: [Security\Http] detect bad redirect targets using backslashes -- Roberto C. Sanchez Fri, 01 Mar 2019 09:20:42 -0500 Regards, -Roberto -- Roberto C. Sánchez