Red Hat Bugzilla – Bug 828077
CVE-2012-2667 php-symfony-symfony: Session fixation flaw corrected in upstream 1.4.18 version
Last modified: 2016-03-04 05:46:33 EST
A session fixation flaw was found in the way Symfony, an open-source PHP web applications development framework, performed removal of user credential, adding several user credentials at once and 'user authenticated' settings change by regenerating session ID. A remote attacker could provide a specially-crafted URL, that when visited by a valid Symfony application user (victim) could lead to unauthorized access to the victim's user account.
This issue affects the versions of the php-symfony-symfony package, as shipped with Fedora release of 15, 16, and 17. Please schedule an update.
This issue affects the version of the php-symfony-symfony package, as shipped with Fedora EPEL 6. Please schedule an update.
Created php-symfony-symfony tracking bugs for this issue
Affects: fedora-all [bug 828079]
Affects: epel-6 [bug 828081]
I am going to update the packages this evening.
The CVE identifier of CVE-2012-2667 has been assigned to this issue:
(In reply to comment #4)
> I am going to update the packages this evening.
Brilliant, thank you for the updates, Christof.