Bug 1591300 (CVE-2017-16652, CVE-2018-11385, CVE-2018-11386, CVE-2018-11406, CVE-2018-11407, CVE-2018-11408)

Summary: CVE-2017-16652 CVE-2018-11385 CVE-2018-11386 CVE-2018-11406 CVE-2018-11407 CVE-2018-11408 php-symfony: Multiple flaws
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abergmann, christof, fedora, james.hogarth, shawn
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:29:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1591302, 1591303, 1591748, 1591749, 1591750    
Bug Blocks:    

Description Pedro Sampaio 2018-06-14 13:47:52 UTC 
Multiple flaws in php-symfony.

References:

https://symfony.com/blog/category/security-advisories

Multiple versions affected.
Comment 1 Pedro Sampaio 2018-06-14 13:48:18 UTC 
Created php-symfony tracking bugs for this issue:

Affects: epel-all [bug 1591302]
Affects: fedora-all [bug 1591303]
Comment 2 Alexander Bergmann 2018-06-15 06:25:50 UTC 
(In reply to Pedro Sampaio from comment #0)
> Multiple flaws fixed in symfony 5.3.2
> 
> References:
> 
> https://blog.phusion.nl/2018/06/12/passenger-5-3-2-various-security-fixes/
> 
> Ps. Some of the CVEs were not fixed in this release.

The reference points to Passenger 5.3.2 security advisory that talks about CVE-2018-12029 "CHMOD race vulnerability". This has nothing to do with the Symfony issues.

All Symfony security issues can be found here:

https://symfony.com/blog/category/security-advisories

CVE-2017-16652: https://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on-security-handlers
CVE-2018-11385: https://symfony.com/blog/cve-2018-11385-session-fixation-issue-for-guard-authentication
CVE-2018-11386: https://symfony.com/blog/cve-2018-11386-denial-of-service-when-using-pdosessionhandler
CVE-2018-11406: https://symfony.com/blog/cve-2018-11406-csrf-token-fixation
CVE-2018-11407: https://symfony.com/blog/cve-2018-11407-unauthorized-access-on-a-misconfigured-ldap-server-when-using-an-empty-password
CVE-2018-11408: https://symfony.com/blog/cve-2018-11408-open-redirect-vulnerability-on-security-handlers
Comment 3 Pedro Sampaio 2018-06-15 12:53:37 UTC 
Created php-symfony-symfony tracking bugs for this issue:

Affects: epel-6 [bug 1591749]


Created php-symfony3 tracking bugs for this issue:

Affects: fedora-all [bug 1591750]


Created php-symfony4 tracking bugs for this issue:

Affects: fedora-all [bug 1591748]
Comment 4 Pedro Sampaio 2018-06-15 12:57:59 UTC 
(In reply to Alexander Bergmann from comment #2)
> (In reply to Pedro Sampaio from comment #0)
> > Multiple flaws fixed in symfony 5.3.2
> > 
> > References:
> > 
> > https://blog.phusion.nl/2018/06/12/passenger-5-3-2-various-security-fixes/
> > 
> > Ps. Some of the CVEs were not fixed in this release.
> 
> The reference points to Passenger 5.3.2 security advisory that talks about
> CVE-2018-12029 "CHMOD race vulnerability". This has nothing to do with the
> Symfony issues.
> 
> All Symfony security issues can be found here:
> 
> https://symfony.com/blog/category/security-advisories
> 
> CVE-2017-16652:
> https://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on-
> security-handlers
> CVE-2018-11385:
> https://symfony.com/blog/cve-2018-11385-session-fixation-issue-for-guard-
> authentication
> CVE-2018-11386:
> https://symfony.com/blog/cve-2018-11386-denial-of-service-when-using-
> pdosessionhandler
> CVE-2018-11406: https://symfony.com/blog/cve-2018-11406-csrf-token-fixation
> CVE-2018-11407:
> https://symfony.com/blog/cve-2018-11407-unauthorized-access-on-a-
> misconfigured-ldap-server-when-using-an-empty-password
> CVE-2018-11408:
> https://symfony.com/blog/cve-2018-11408-open-redirect-vulnerability-on-
> security-handlers

Indeed. Thank you for the correction.
Comment 5 Product Security DevOps Team 2019-06-10 10:29:10 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.