A session fixation flaw was found in the way Symfony, an open-source PHP web applications development framework, performed removal of user credential, adding several user credentials at once and 'user authenticated' settings change by regenerating session ID. A remote attacker could provide a specially-crafted URL, that when visited by a valid Symfony application user (victim) could lead to unauthorized access to the victim's user account. References: [1] https://bugs.gentoo.org/show_bug.cgi?id=418427 [2] http://symfony.com/blog/security-release-symfony-1-4-18-released [3] http://trac.symfony-project.org/browser/tags/RELEASE_1_4_18/CHANGELOG Upstream patch: [4] http://trac.symfony-project.org/changeset/33466?format=diff&new=33466
This issue affects the versions of the php-symfony-symfony package, as shipped with Fedora release of 15, 16, and 17. Please schedule an update. -- This issue affects the version of the php-symfony-symfony package, as shipped with Fedora EPEL 6. Please schedule an update.
Created php-symfony-symfony tracking bugs for this issue Affects: fedora-all [bug 828079] Affects: epel-6 [bug 828081]
CVE Request: [5] http://www.openwall.com/lists/oss-security/2012/06/04/1
I am going to update the packages this evening.
The CVE identifier of CVE-2012-2667 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2012/06/05/2
(In reply to comment #4) > I am going to update the packages this evening. Brilliant, thank you for the updates, Christof.
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.