From ${URL} : Description A security issue and a vulnerability have been reported in Symfony, which can be exploited by malicious people to conduct spoofing attacks and bypass certain security restrictions. 1) An error when handling the "collectionCascaded" and "collectionCascadedDeeply" fields during serialisation within the Validator component can be exploited to prevent traversal of certain fields with a @Valid constraint and bypass certain validations. Successful exploitation of this security issue requires that Symfony\\Component\\Validator\\Mapping\\Cache\\ApcCache or a cache implementing Symfony\\Component\\Validator\\Mapping\\Cache\\CacheInterface is enabled. 2) An error when handling the HOST HTTP header within the "Request::getHost()" function (Component/HttpFoundation/Request.php) of the HttpFoundation component can be exploited to spoof the host of a request and e.g. manipulate a password reset link generated for a user. The security issue and the vulnerability are reported in versions prior to 2.0.24, 2.1.12, 2.2.5, and 2.3.3. Solution: Update to version 2.0.24, 2.1.12, 2.2.5, or 2.3.3. Provided and/or discovered by: 1) The vendor credits Alexandre Salome. 2) The vendor credits Jordan Alliot. Original Advisory: http://symfony.com/blog/security-releases-symfony-2-0-24-2-1-12-2-2-5-and-2-3-3-released @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
We do not have any of the affected versions in the tree. We only have the 1.4 tree, which is completely different and unrelated to the code in the 2.0 tree.
Indeed, no affected version in tree. Closing INVALID.
