[pkg-php-pear] Symfony in stable: Fix for CVE-2016-4423 in git

Daniel Beyer dabe at deb.ymc.ch
Tue May 10 05:40:36 UTC 2016 

Hi David

I prepared a fix for CVE-2016-4423 [1] in branch
jessie-security/CVE-2016-4423 [2].
I recycled the Debian version 2.3.21+dfsg-4+deb8u3, since it was never
uploaded to the archive in past. Please have a look on it and merge down
or cherry-pick whatever you think is appropriate.

In case this should be fixed via DSA, here is an initial draft for it:
----------
Package: symfony
In Mitre's CVE dictionary: CVE-2016-1902, CVE-2016-4423

Several vulnerabilities have been discovered in symfony, a framework to
create websites and web applications. The Common Vulnerabilities and
Exposures project identifies the following problems:

* CVE-2016-1902
  Lander Brandt discovered that on PHP installations where the
  random_bytes() function is not available, Symfony falls back
  to using openssl_random_pseudo_bytes(). If that does not work,
  Symfony generates a secure random number using uniqid() and
  mt_rand(), which are not suitable for cryptographic contexts.

* CVE-2016-4423
  Marek Alaksa of Citadelo discovered that when an authentication form
  is submitted by the user and if the user does not exist, the submitted
  username is stored in the session. If an attacker submit multiple
  requests with large usernames, he can potentially fill up the
  session storage.

For the stable distribution (jessie), these problems have been fixed in
version 2.3.21+dfsg-4+deb8u3.

We recommend that you upgrade your symfony packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
----------

Note that there is an other CVE (CVE-2016-2403 [3]), which does not
affect the 2.3 series. But since 2.8 and 3.0 are affected by both
CVE-2016-2403 and CVE-2016-4423, I'll try to prepare updates to 2.8.6
and 3.0.6 later today.

Greetings
Daniel

[1] http://symfony.com/blog/cve-2016-4423-large-username-storage-in-session
[2] http://anonscm.debian.org/cgit/pkg-php/symfony.git/log/?h=jessie-security/CVE-2016-4423
[3] http://symfony.com/blog/cve-2016-2403-unauthorized-access-on-a-misconfigured-ldap-server-when-using-an-empty-password

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-pear/attachments/20160510/abd108c7/attachment.sig>

More information about the pkg-php-pear mailing list