Red Hat Bugzilla – Bug 1285263
CVE-2015-8124 CVE-2015-8125 php-symfony: Session fixation and remote timing attack vulnerabilities
Last modified: 2016-11-08 11:05:40 EST
Two security issues in php-symfony were found:
CVE-2015-8124: Session Fixation in the "Remember Me" Login Feature
A session fixation vulnerability within the "Remember Me" login feature allows an attacker to impersonate the victim towards the web application if the session id value was previously known to the attacker.
CVE-2015-8125: Potential Remote Timing Attack Vulnerability in Security Remember-Me Service
Several potential remote timing attack vulnerabilities were discovered in classes from the Symfony Security component (Symfony\Component\Security\Http\RememberMe\PersistentTokenBasedRememberMeServices and Symfony\Component\Security\Http\Firewall\DigestAuthenticationListener) and in the legacy CSRF implementation from the Symfony Form component (Symfony\Component\Form\Extension\Csrf\CsrfProvider\DefaultCsrfProvider).
Created php-symfony tracking bugs for this issue:
Affects: fedora-all [bug 1285264]
Affects: epel-all [bug 1285265]
php-symfony-2.7.7-2.fc23, php-twig-1.23.1-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
php-symfony-2.7.7-2.fc22, php-twig-1.23.1-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
All dependent bugs have been closed. Please close this tracking bug as well.