Your message dated Thu, 28 May 2020 04:33:44 +0000 with message-id <e1jeaei-00054k...@fasolo.debian.org> and subject line Bug#961415: fixed in symfony 4.4.8-1 has caused the Debian Bug report #961415, regarding symfony: CVE-2020-5275 CVE-2020-5274 CVE-2020-5255 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 961415: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961415 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: symfony Version: 4.4.4-1 Severity: grave Tags: security upstream Hi, The following vulnerabilities were published for symfony. CVE-2020-5275[0]: | In symfony/security-http before versions 4.4.7 and 5.0.7, when a | `Firewall` checks access control rule, it iterate overs each rule's | attributes and stops as soon as the accessDecisionManager decides to | grant access on the attribute, preventing the check of next attributes | that should have been take into account in an unanimous strategy. The | accessDecisionManager is now called with all attributes at once, | allowing the unanimous strategy being applied on each attribute. This | issue is patched in versions 4.4.7 and 5.0.7. CVE-2020-5274[1]: | In Symfony before versions 5.0.5 and 4.4.5, some properties of the | Exception were not properly escaped when the `ErrorHandler` rendered | it stacktrace. In addition, the stacktrace were displayed even in a | non-debug configuration. The ErrorHandler now escape alls properties | of the exception, and the stacktrace is only display in debug | configuration. This issue is patched in symfony/http-foundation | versions 4.4.5 and 5.0.5 CVE-2020-5255[2]: | In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not | contain a `Content-Type` header, affected versions of Symfony can | fallback to the format defined in the `Accept` header of the request, | leading to a possible mismatch between the response&#39;s content | and `Content-Type` header. When the response is cached, this can | prevent the use of the website by other users. This has been patched | in versions 4.4.7 and 5.0.7. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-5275 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5275 [1] https://security-tracker.debian.org/tracker/CVE-2020-5274 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5274 [2] https://security-tracker.debian.org/tracker/CVE-2020-5255 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5255 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: symfony Source-Version: 4.4.8-1 Done: =?utf-8?q?David_Pr=C3=A9vot?= <taf...@debian.org> We believe that the bug you reported is fixed in the latest version of symfony, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 961...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. David Prévot <taf...@debian.org> (supplier of updated symfony package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 27 May 2020 14:34:35 -1000 Source: symfony Architecture: source Version: 4.4.8-1 Distribution: unstable Urgency: medium Maintainer: Debian PHP PEAR Maintainers <pkg-php-p...@lists.alioth.debian.org> Changed-By: David Prévot <taf...@debian.org> Closes: 952431 961415 Changes: symfony (4.4.8-1) unstable; urgency=medium . [ Fabien Potencier ] * updated VERSION for 4.4.8, fixes security issues (Closes: #961415) . [ Robin Chalas ] * [Security] Fix access_control behavior with unanimous decision strategy [CVE-2020-5275] . [ Yonel Ceruto ] * [HttpFoundation] Do not set the default Content-Type based on the Accept header [CVE-2020-5255] . [ Jérémy Derussé ] * Escape variable in Exception Template [CVE-2020-5274] . [ David Prévot ] * Use debhelper-compat 13 * Simplify override_dh_auto_test * Workaround failing tests with php7.4 (Closes: #952431) Checksums-Sha1: 053594561c0cd0fe9c53dffaa32cddeaa4d6d74a 7745 symfony_4.4.8-1.dsc aed8a6e1814a7df97acf5b1fc211e3d9734ac29f 4124496 symfony_4.4.8.orig.tar.xz 5ff84e625f8b05965ca3a43e091ced5381bf3f04 47316 symfony_4.4.8-1.debian.tar.xz a619fe1b24944868ab0cf50205903b3063c8fd3c 31028 symfony_4.4.8-1_amd64.buildinfo Checksums-Sha256: 06cee902334a64d165782e5ff5621781f746f08897e1c8e76a7da80c977b0f52 7745 symfony_4.4.8-1.dsc f2828be3a5a7678f4897acef00c1e3bd4eb0830751030779fce964b197b96674 4124496 symfony_4.4.8.orig.tar.xz 8a1338504650c21c4de3a5395155f0ba9fd8611f1d0340a0c5ef10c7caebae41 47316 symfony_4.4.8-1.debian.tar.xz e066165496b76614d85225f9e59f16980c0f875a5c897a0f909f2ba62e4d61f6 31028 symfony_4.4.8-1_amd64.buildinfo Files: 057f9113876922bc566c61e93f47235c 7745 php optional symfony_4.4.8-1.dsc e20c88492c0e98c26e6c4df3d992acba 4124496 php optional symfony_4.4.8.orig.tar.xz 745356369d7e48445263acd0dd63b0ee 47316 php optional symfony_4.4.8-1.debian.tar.xz 73ec5b5d615c01a3f554c719968f9bac 31028 php optional symfony_4.4.8-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQFGBAEBCAAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAl7PNMcSHHRhZmZpdEBk ZWJpYW4ub3JnAAoJEAWMHPlE9r08uKYH/RqZ5NQc3vSzovndJ6goD9IfCVIcJPED JU62N7u2XqtoOKo5aFWPqHRfhlsD7D6fb0FDJrnGCo4pDGcym1EdYOSl4JjikXiX p7c2bvLpEbSqcyegstPyGCzCQA8g7ejP+/TKgcUYZBJhd4sLZ7qszAd+VZ7NoASG lw39gwldDPoIWomcUWACW2frgpQm6vMukYFGUTIKibRYz4Y83fMqpodydVlBUsVH eP35l1UsZXrVKVNlDTSIosLIaptpoKrMP5A/x3cO0pvg76HOYEHnJ5PL1QYp3iY5 QrQGmcn4xRYFFMc18aIOd3wu12i1VbGPmuRyr7OdeCiG7IMQg/aAwRY= =4Zry -----END PGP SIGNATURE-----
--- End Message ---
