Bug 828077 (CVE-2012-2667)

Summary: CVE-2012-2667 php-symfony-symfony: Session fixation flaw corrected in upstream 1.4.18 version
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: christof
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20120530,reported=20120602,source=gentoo,cvss2=5.8/AV:N/AC:M/Au:N/C:P/I:P/A:N,fedora-all/php-symfony-symfony=affected,epel-6/php-symfony-symfony=affected,cwe=CWE-384[auto]
Fixed In Version: php-symfony-symfony 1.4.18 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 828079, 828081    
Bug Blocks:    

Description Jan Lieskovsky 2012-06-04 04:17:22 EDT
A session fixation flaw was found in the way Symfony, an open-source PHP web applications development framework, performed removal of user credential, adding several user credentials at once and 'user authenticated' settings change by regenerating session ID. A remote attacker could provide a specially-crafted URL, that when visited by a valid Symfony application user (victim) could lead to unauthorized access to the victim's user account.

[1] https://bugs.gentoo.org/show_bug.cgi?id=418427
[2] http://symfony.com/blog/security-release-symfony-1-4-18-released
[3] http://trac.symfony-project.org/browser/tags/RELEASE_1_4_18/CHANGELOG

Upstream patch:
[4] http://trac.symfony-project.org/changeset/33466?format=diff&new=33466
Comment 1 Jan Lieskovsky 2012-06-04 04:20:12 EDT
This issue affects the versions of the php-symfony-symfony package, as shipped with Fedora release of 15, 16, and 17. Please schedule an update.


This issue affects the version of the php-symfony-symfony package, as shipped with Fedora EPEL 6. Please schedule an update.
Comment 2 Jan Lieskovsky 2012-06-04 04:21:08 EDT
Created php-symfony-symfony tracking bugs for this issue

Affects: fedora-all [bug 828079]
Affects: epel-6 [bug 828081]
Comment 3 Jan Lieskovsky 2012-06-04 06:34:17 EDT
CVE Request:
[5] http://www.openwall.com/lists/oss-security/2012/06/04/1
Comment 4 Christof Damian 2012-06-04 06:38:16 EDT
I am going to update the packages this evening.
Comment 5 Jan Lieskovsky 2012-06-05 02:24:23 EDT
The CVE identifier of CVE-2012-2667 has been assigned to this issue:
Comment 6 Jan Lieskovsky 2012-06-05 02:25:25 EDT
(In reply to comment #4)
> I am going to update the packages this evening.

Brilliant, thank you for the updates, Christof.