Summary: | <dev-php/symfony-1.4.18 Session fixation vulnerability (CVE-2012-2667) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Laurent Bachelier <laurent> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | jamie-lists, mabi, php-bugs, proxy-maint, web-apps, webapps-request |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | http://symfony.com/blog/security-release-symfony-1-4-18-released | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 401625 | ||
Bug Blocks: |
Description
Laurent Bachelier
2012-05-31 19:07:46 UTC
This is good to bump with a simple version bump. https://raw.github.com/jamiel/gentoo-overlay/master/dev-php/symfony/symfony-1.4.18.ebuild This is a security issue, so should be handled by security@ +*symfony-1.4.18 (02 Jun 2012) + + 02 Jun 2012; Pawel Hajdan jr +symfony-1.4.18.ebuild: + Version bump wrt security bug #418427. Ebuild in tree, OK to stabilize? CVE-2012-2667 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2667): Session fixation vulnerability in lib/user/sfBasicSecurityUser.class.php in SensioLabs Symfony before 1.4.18 allows remote attackers to hijack web sessions via vectors related to the regenerate method and unspecified "database backed session classes." vulnerable version removed. please vote. Thanks, folks. GLSA Vote: no. Please do not close security bugs. GLSA vote: no. Leaving resolved, moving to noglsa. |