Hi, Can we get a symfony 1.4 update? There is a vulnerability in Doctrine 1.2.3.
-- Best regards, Michal http://eventhorizon.pl/ ---------- Forwarded message ---------- From: Benjamin Eberlei <[email protected]> Date: 2011/3/20 Subject: [doctrine-user] Security Vulnerability: Upgrade to 1.2.4 and 2.0.3 immediately To: [email protected], [email protected] Because of a SQL injection possibility we urge users of Doctrine 1.2 and 2 to the newly released versions of both libraries immediately. Both versions only include the security fix and no other changes to their previous versions 1.2.3 and 2.0.2. Affected versions are: * 1.2.3 and earlier for PostgreSQL and DB2 Dialects * 2.0.2 and earlier The security hole was found today and affects the Doctrine\DBAL\Platforms\AbstractPlatform::modifyLimitQuery() function which does not cast input values for limit and offset to integer and allows malicious SQL to be executed if these parameters are passed into Doctrine 2 directly from request variables without previous cast to integer. Functionality building on top using limit queries in the ORM such as Doctrine\ORM\Query::setFirstResult() and Doctrine\ORM\Query::setMaxResults() are also affected by this security hole. You can grab the packages from PEAR, Archive or Github, see the respective links more details: * ORM http://www.doctrine-project.org/projects/orm/download * DBAL http://www.doctrine-project.org/projects/dbal/download The fix for this security hole breaks backwards compatibility for developers that extend the Doctrine\DBAL\Platforms\AbstractPlatform::modifyLimitQuery() method, because it is now marked as final. Please overwrite the Doctrine\DBAL\Platforms\AbstractPlatform::doModifyLimitQuery() method instead. greetings, Benjamin -- You received this message because you are subscribed to the Google Groups "doctrine-user" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/doctrine-user?hl=en. -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
