Fedora 30 : php-symfony4 (2019-f5d6a7ce74)

high Nessus Plugin ID 124556

Language:

Synopsis

The remote Fedora host is missing a security update.

Description

**Version 4.2.7** (2019-04-17)

- bug #31107 [Routing] fix trailing slash redirection with non-greedy trailing vars (nicolas-grekas)

- bug #31108 [FrameworkBundle] decorate the ValidatorBuilder's translator with LegacyTranslatorProxy (nicolas-grekas)

- bug #31121 [HttpKernel] Fix get session when the request stack is empty (yceruto)

- bug #31084 [HttpFoundation] Make MimeTypeExtensionGuesser case insensitive (vermeirentony)

- bug #31142 Revert 'bug #30423 [Security] Rework firewall's access denied rule (dimabory)' (chalasr)

- security #cve-2019-10910 [DI] Check service IDs are valid (nicolas-grekas)

- security #cve-2019-10909 [FrameworkBundle][Form] Fix XSS issues in the form theme of the PHP templating engine (stof)

- security #cve-2019-10912 [Cache][PHPUnit Bridge] Prevent destructors with side-effects from being unserialized (nicolas-grekas)

- security #cve-2019-10911 [Security] Add a separator in the remember me cookie hash (pborreli)

- security #cve-2019-10913 [HttpFoundation] reject invalid method override (nicolas-grekas)

----

**Version 4.2.6** (2019-04-16)

- bug #31088 [DI] fix removing non-shared definition while inlining them (nicolas-grekas)

- bug #29944 [DI] Overriding services autowired by name under _defaults bind not working (przemyslaw-bogusz, renanbr)

- bug #30993 [FrameworkBundle] Fix for Controller DEPRECATED when using composer --optimized (aweelex)

- bug #31076 [HttpKernel] Fixed LoggerDataCollector crashing on empty file (althaus)

- bug #31071 property normalizer should also pass format and context to isAllowedAttribute (dbu)

- bug #31059 Show more accurate message in profiler when missing stopwatch (linaori)

- bug #31026 [Serializer] Add default object class resolver (jdecool)

- bug #31031 [Serializer] MetadataAwareNameConverter: Do not assume that property names are strings (soyuka)

- bug #31043 [VarExporter] support PHP7.4 __serialize &
__unserialize (nicolas-grekas)

- bug #30423 [Security] Rework firewall's access denied rule (dimabory)

- bug #31020 [VarExporter] fix exporting classes with private constructors (nicolas-grekas)

- bug #31012 [Process] Fix missing $extraDirs when open_basedir returns (arsonik)

- bug #30852 [Console] fix buildTableRows when Colspan is use with content too long (Raulnet)

- bug #30950 [Serializer] Also validate callbacks when given in the normalizer context (dbu)

- bug #30907 [Serializer] Respect ignored attributes in cache key of normalizer (dbu)

- bug #30085 Fix TestRunner compatibility to PhpUnit 8 (alexander-schranz)

- bug #30999 Fix dark themed componnents (ro0NL)

- bug #30977 [serializer] prevent mixup in normalizer of the object to populate (dbu)

- bug #30976 [Debug] Fixed error handling when an error is already handled when another error is already handled (5) (lyrixx)

- bug #30979 Fix the configurability of CoreExtension deps in standalone usage (stof)

- bug #30918 [Cache] fix using ProxyAdapter inside TagAwareAdapter (dmaicher)

- bug #30961 [Form] fix translating file validation error message (xabbuh)

- bug #30951 Handle case where no translations were found (greg0ire)

- bug #29800 [Validator] Only traverse arrays that are cascaded into (corphi)

- bug #30921 [Translator] Warm up the translations cache in dev (tgalopin)

- bug #30922 [TwigBridge] fix horizontal spacing of inlined Bootstrap forms (xabbuh)

- bug #30860 [Profiler] Fix dark theme elements color (dFayet)

- bug #30895 [Form] turn failed file uploads into form errors (xabbuh)

- bug #30919 [Translator] Fix wrong dump for PO files (deguif)

- bug #30889 [DependencyInjection] Fix a wrong error when using a factory (Simperfit)

- bug #30911 [Console] Fix table trailing backslash (maidmaid)

- bug #30903 [Messenger] Uses the `SerializerStamp` when deserializing the envelope (sroze)

- bug #30879 [Form] Php doc fixes and cs + optimizations (Jules Pietri)

- bug #30883 [Console] Fix stty not reset when aborting in QuestionHelper::autocomplete() (Simperfit)

- bug #30878 [Console] Fix inconsistent result for choice questions in non-interactive mode (chalasr)

- bug #30825 [Routing] Fix: annotation loader ignores method's default values (voronkovich)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected php-symfony4 package.

See Also

https://bodhi.fedoraproject.org/updates/FEDORA-2019-f5d6a7ce74

Plugin Details

Severity: High

ID: 124556

File Name: fedora_2019-f5d6a7ce74.nasl

Version: 1.6

Type: local

Agent: unix

Published: 5/2/2019

Updated: 5/29/2024

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.2

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2019-10912

CVSS v3

Risk Factor: High

Base Score: 7.1

Temporal Score: 6.2

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:fedoraproject:fedora:30, p-cpe:/a:fedoraproject:fedora:php-symfony4

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 4/27/2019

Vulnerability Publication Date: 5/16/2019

Reference Information

CVE: CVE-2019-10912