Debian DSA-3402-1 Critical: Symfony Session Fixation And Timing Attack
debian
November 24, 2015
Several vulnerabilities have been discovered in symfony, a framework to create websites and web applications
Summary
CVE-2015-8124
The RedTeam Pentesting GmbH team discovered a session fixation
vulnerability within the "Remember Me" login feature, allowing an
attacker to impersonate the victim towards the web application if
the session id value was previously known to the attacker.
CVE-2015-8125
Several potential remote timing attack vulnerabilities were
discovered in classes from the Symfony Security component and in the
legacy CSRF implementation from the Symfony Form component.
For the stable distribution (jessie), these problems have been fixed in
version 2.3.21+dfsg-4+deb8u2.
For the unstable distribution (sid), these problems have been fixed in
version 2.7.7+dfsg-1.
We recommend that you upgrade your symfony packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: symfony
CVE ID: CVE-2015-8124 CVE-2015-8125
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!