When an authentication form is submitted by the user and if the user does not exist, the submitted username is stored in the session. If an attacker submit multiple requests with large usernames, he can potentially fill up the session storage.
Created php-symfony tracking bugs for this issue:
Affects: epel-all [bug 1340834]
Affects: fedora-all [bug 1340835]
All dependent bugs closed.