An information disclosure flaw was found in the way Symfony, a open-source PHP web framework, sanitized certain HTTP POST request values. A remote attacker could use this flaw to obtain (unauthorized) read access to arbitrary system files, readable with the privileges of the web server process. References: [1] http://symfony.com/blog/security-release-symfony-1-4-20-released [2] https://bugs.gentoo.org/show_bug.cgi?id=444696 Relevant upstream patch: [3] http://trac.symfony-project.org/changeset/33598
This issue affects the versions of the php-symfony-symfony package, as shipped with Fedora release of 16 and 17. Please schedule an update. -- This issue affects the version of the php-symfony-package, as shipped with Fedora EPEL 6. Please schedule an update.
Created php-symfony-symfony tracking bugs for this issue Affects: fedora-all [bug 880245] Affects: epel-6 [bug 880247]
CVE Request: http://www.openwall.com/lists/oss-security/2012/11/26/5
The CVE identifier of CVE-2012-5574 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2012/11/26/12
php-symfony-symfony-1.4.20-2.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
php-symfony-symfony-1.4.20-2.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
php-symfony-symfony-1.4.20-2.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
php-symfony-symfony-1.4.20-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.