Bug 828077 (CVE-2012-2667)

Summary: CVE-2012-2667 php-symfony-symfony: Session fixation flaw corrected in upstream 1.4.18 version
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: christof
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php-symfony-symfony 1.4.18 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:58:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 828079, 828081    
Bug Blocks:    

Description Jan Lieskovsky 2012-06-04 08:17:22 UTC 
A session fixation flaw was found in the way Symfony, an open-source PHP web applications development framework, performed removal of user credential, adding several user credentials at once and 'user authenticated' settings change by regenerating session ID. A remote attacker could provide a specially-crafted URL, that when visited by a valid Symfony application user (victim) could lead to unauthorized access to the victim's user account.

References:
[1] https://bugs.gentoo.org/show_bug.cgi?id=418427
[2] http://symfony.com/blog/security-release-symfony-1-4-18-released
[3] http://trac.symfony-project.org/browser/tags/RELEASE_1_4_18/CHANGELOG

Upstream patch:
[4] http://trac.symfony-project.org/changeset/33466?format=diff&new=33466
Comment 1 Jan Lieskovsky 2012-06-04 08:20:12 UTC 
This issue affects the versions of the php-symfony-symfony package, as shipped with Fedora release of 15, 16, and 17. Please schedule an update.

--

This issue affects the version of the php-symfony-symfony package, as shipped with Fedora EPEL 6. Please schedule an update.
Comment 2 Jan Lieskovsky 2012-06-04 08:21:08 UTC 
Created php-symfony-symfony tracking bugs for this issue

Affects: fedora-all [bug 828079]
Affects: epel-6 [bug 828081]
Comment 3 Jan Lieskovsky 2012-06-04 10:34:17 UTC 
CVE Request:
[5] http://www.openwall.com/lists/oss-security/2012/06/04/1
Comment 4 Christof Damian 2012-06-04 10:38:16 UTC 
I am going to update the packages this evening.
Comment 5 Jan Lieskovsky 2012-06-05 06:24:23 UTC 
The CVE identifier of CVE-2012-2667 has been assigned to this issue:
http://www.openwall.com/lists/oss-security/2012/06/05/2
Comment 6 Jan Lieskovsky 2012-06-05 06:25:25 UTC 
(In reply to comment #4)
> I am going to update the packages this evening.

Brilliant, thank you for the updates, Christof.
Comment 7 Product Security DevOps Team 2019-06-10 10:58:46 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.