Hi, i just got alerted to this blog post: http://www.symfony-project.org/blog/2010/06/29/security-release-symfony-1-3-6-and-1-4-6 I'm not aware of a CVE yet. I've added upstream's new release, courtesy Jamie, our proxy maintainer. I am not yet familiar enough with the package, so I'm not sure of the impact. The ability to store files in a directory might or might not result in a Denial of Service. I'm not sure if this is an Information Leak, as with other forms of Directory Traversal. Rating could be C4. I'd also kindly ask for security to call arches for a direct stable bump after assessing the situation.
CC:ing proxy maintainer so he's aware of the bug
This package is now stable in the tree, can sec team close?
GLSA vote: NO
GLSA vote: No too; closing noglsa.