Source: symfony Version: 4.4.4-1 Severity: grave Tags: security upstream Hi,
The following vulnerabilities were published for symfony. CVE-2020-5275[0]: | In symfony/security-http before versions 4.4.7 and 5.0.7, when a | `Firewall` checks access control rule, it iterate overs each rule's | attributes and stops as soon as the accessDecisionManager decides to | grant access on the attribute, preventing the check of next attributes | that should have been take into account in an unanimous strategy. The | accessDecisionManager is now called with all attributes at once, | allowing the unanimous strategy being applied on each attribute. This | issue is patched in versions 4.4.7 and 5.0.7. CVE-2020-5274[1]: | In Symfony before versions 5.0.5 and 4.4.5, some properties of the | Exception were not properly escaped when the `ErrorHandler` rendered | it stacktrace. In addition, the stacktrace were displayed even in a | non-debug configuration. The ErrorHandler now escape alls properties | of the exception, and the stacktrace is only display in debug | configuration. This issue is patched in symfony/http-foundation | versions 4.4.5 and 5.0.5 CVE-2020-5255[2]: | In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not | contain a `Content-Type` header, affected versions of Symfony can | fallback to the format defined in the `Accept` header of the request, | leading to a possible mismatch between the response's content | and `Content-Type` header. When the response is cached, this can | prevent the use of the website by other users. This has been patched | in versions 4.4.7 and 5.0.7. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-5275 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5275 [1] https://security-tracker.debian.org/tracker/CVE-2020-5274 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5274 [2] https://security-tracker.debian.org/tracker/CVE-2020-5255 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5255 Regards, Salvatore