Fedora 31 : php-symfony3 (2019-8b0ba02338)

critical Nessus Plugin ID 131202

Language:

Synopsis

The remote Fedora host is missing a security update.

Description

**Version 3.4.35** (2019-11-13)

- bug #34344 [Console] Constant STDOUT might be undefined (nicolas-grekas)

- security #cve-2019-18889 [Cache] forbid serializing AbstractAdapter and TagAwareAdapter instances (nicolas-grekas)

- security #cve-2019-18888 [HttpFoundation] fix guessing mime-types of files with leading dash (nicolas-grekas)

- security #cve-2019-18887 [HttpKernel] Use constant time comparison in UriSigner (stof)

----

**Version 3.4.34** (2019-11-11)

- bug #34297 [DI] fix locators with numeric keys (nicolas-grekas)

- bug #34282 [DI] Dont cache classes with missing parents (nicolas-grekas)

- bug #34181 [Stopwatch] Fixed bug in getDuration when counting multiple ongoing periods (TimoBakx)

- bug #34179 [Stopwatch] Fixed a bug in StopwatchEvent::getStartTime (TimoBakx)

- bug #34203 [FrameworkBundle] [HttpKernel] fixed correct EOL and EOM month (erics86)

----

**Version 3.4.33** (2019-11-01)

- bug #33998 [Config] Disable default alphabet sorting in glob function due of unstable sort (hurricane-voronin)

- bug #34144 [Serializer] Improve messages for unexpected resources values (fancyweb)

- bug #34080 [SecurityBundle] correct types for default arguments for firewall configs (shieldo)

- bug #33999 [Form] Make sure to collect child forms created on *_SET_DATA events (yceruto)

- bug #34021 [TwigBridge] do not render errors for checkboxes twice (xabbuh)

- bug #34041 [HttpKernel] fix wrong removal of the just generated container dir (nicolas-grekas)

- bug #34023 [Dotenv] allow LF in single-quoted strings (nicolas-grekas)

- bug #33818 [Yaml] Throw exception for tagged invalid inline elements (gharlan)

- bug #33948 [PropertyInfo] Respect property name case when guessing from public method name (antograssiot)

- bug #33962 [Cache] fixed TagAwareAdapter returning invalid cache (v-m-i)

- bug #33965 [HttpFoundation] Add plus character `+` to legal mime subtype (ilzrv)

- bug #32943 [Dotenv] search variable values in ENV first then env file (soufianZantar)

- bug #33943 [VarDumper] fix resetting the 'bold' state in CliDumper (nicolas-grekas)

----

**Version 3.4.32** (2019-10-07)

- bug #33834 [Validator] Fix ValidValidator group cascading usage (fancyweb)

- bug #33841 [VarDumper] fix dumping uninitialized SplFileInfo (nicolas-grekas)

- bug #33799 [Security]: Don't let falsy usernames slip through impersonation (j4nr6n)

- bug #33814 [HttpFoundation] Check if data passed to SessionBagProxy::initialize is an array (mynameisbogdan)

- bug #33805 [FrameworkBundle] Fix wrong returned status code in ConfigDebugCommand (jschaedl)

- bug #33781 [AnnotationCacheWarmer] add RedirectController to annotation cache (jenschude)

- bug #33777 Fix the :only-of-type pseudo class selector (jakzal)

- bug #32051 [Serializer] Add CsvEncoder tests for PHP 7.4 (ro0NL)

- feature #33776 Copy phpunit.xsd to a predictable path (julienfalque)

- bug #33759 [Security/Http] fix parsing X509 emailAddress (nicolas-grekas)

- bug #33733 [Serializer] fix denormalization of string-arrays with only one element (mkrauser)

- bug #33754 [Cache] fix known tag versions ttl check (SwenVanZanten)

- bug #33646 [HttpFoundation] allow additinal characters in not raw cookies (marie)

- bug #33748 [Console] Do not include hidden commands in suggested alternatives (m-vo)

- bug #33625 [DependencyInjection] Fix wrong exception when service is synthetic (k0d3r1s)

- bug #32522 [Validator] Accept underscores in the URL validator, as the URL will load (battye)

- bug #32437 Fix toolbar load when GET params are present in '_wdt' route (Molkobain)

- bug #32925 [Translation] Collect original locale in case of fallback translation (digilist)

- bug #31198 [FrameworkBundle] Fix framework bundle lock configuration not working as expected (HypeMC)

- bug #33719 [Cache] dont override native Memcached options (nicolas-grekas)

- bug #33675 [PhpUnit] Fix usleep mock return value (fabpot)

- bug #33618 fix tests depending on other components' tests (xabbuh)

- bug #33626 [PropertyInfo] ensure compatibility with type resolver 0.5 (xabbuh)

- bug #33620 [Twig] Fix Twig config extra keys (fabpot)

- bug #33571 [Inflector] add support 'see' to 'ee' for singularize 'fees' to 'fee' (maxhelias)

- bug #32763 [Console] Get dimensions from stty on windows if possible (rtek)

- bug #33518 [Yaml] don't dump a scalar tag value on its own line (xabbuh)

- bug #32818 [HttpKernel] Fix getFileLinkFormat() to avoid returning the wrong URL in Profiler (Arman-Hosseini)

- bug #33487 [HttpKernel] Fix Apache mod_expires Session Cache-Control issue (pbowyer)

- bug #33439 [Validator] Sync string to date behavior and throw a better exception (fancyweb)

- bug #32903 [PHPUnit Bridge] Avoid registering listener twice (alexpott)

- bug #33402 [Finder] Prevent unintentional file locks in Windows (jspringe)

- bug #33396 Fix #33395 PHP 5.3 compatibility (kylekatarnls)

- bug #33385 [Console] allow Command::getName() to return null (nicolas-grekas)

- bug #33353 Return null as Expire header if it was set to null (danrot)

- bug #33382 [ProxyManager] remove ProxiedMethodReturnExpression polyfill (nicolas-grekas)

- bug #33377 [Yaml] fix dumping not inlined scalar tag values (xabbuh)

----

**Version 3.4.31** (2019-08-26)

- bug #33335 [DependencyInjection] Fixed the `getServiceIds` implementation to always return aliases (pdommelen)

- bug #33244 [Router] Fix TraceableUrlMatcher behaviour with trailing slash (Xavier Leune)

- bug #33172 [Console] fixed a PHP notice when there is no function in the stack trace of an Exception (fabpot)

- bug #33157 Fix getMaxFilesize() returning zero (ausi)

- bug #33139 [Intl] Cleanup unused language aliases entry (ro0NL)

- bug #33066 [Serializer] Fix negative DateInterval (jderusse)

- bug #33033 [Lock] consistently throw NotSupportException (xabbuh)

- bug #32516 [FrameworkBundle][Config] Ignore exceptions thrown during reflection classes autoload (fancyweb)

- bug #32981 Fix tests/code for php 7.4 (jderusse)

- bug #32992 [ProxyManagerBridge] Polyfill for unmaintained version (jderusse)

- bug #32933 [PhpUnitBridge] fixed PHPUnit 8.3 compatibility: method handleError was renamed to
__invoke (karser)

- bug #32947 [Intl] Support DateTimeInterface in IntlDateFormatter::format (pierredup)

- bug #32838 [FrameworkBundle] Detect indirect env vars in routing (ro0NL)

- bug #32918 [Intl] Order alpha2 to alpha3 mapping (ro0NL)

- bug #32902 [PhpUnitBridge] Allow sutFqcnResolver to return array (VincentLanglet)

- bug #32682 [HttpFoundation] Revert getClientIp @return docblock (ossinkine)

- bug #32910 [Yaml] PHP-8: Uncaught TypeError: abs() expects parameter 1 to be int or float, string given (Aleksandr Dankovtsev)

- bug #32870 #32853 Check if $this->parameters is array.
(ABGEO07)

- bug #32868 [PhpUnitBridge] Allow symfony/phpunit-bridge > 4.2 to be installed with phpunit 4.8 (jderusse)

- bug #32767 [Yaml] fix comment in multi line value (soufianZantar)

- bug #32790 [HttpFoundation] Fix `getMaxFilesize` (bennyborn)

- bug #32796 [Cache] fix warning on PHP 7.4 (jpauli)

- bug #32806 [Console] fix warning on PHP 7.4 (rez1dent3)

- bug #32809 Don't add object-value of static properties in the signature of container metadata-cache (arjenm)

- bug #30096 [DI] Fix dumping Doctrine-like service graphs (bis) (weaverryan, nicolas-grekas)

- bug #32799 [HttpKernel] do not stopwatch sections when profiler is disabled (Tobion)

----

**Packaging changes**

- One distinct autoloader for each component.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected php-symfony3 package.

See Also

https://bodhi.fedoraproject.org/updates/FEDORA-2019-8b0ba02338

Plugin Details

Severity: Critical

ID: 131202

File Name: fedora_2019-8b0ba02338.nasl

Version: 1.5

Type: local

Agent: unix

Published: 11/22/2019

Updated: 4/10/2024

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-18889

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:php-symfony3, cpe:/o:fedoraproject:fedora:31

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 11/22/2019

Vulnerability Publication Date: 11/21/2019

Reference Information

CVE: CVE-2019-18887, CVE-2019-18888, CVE-2019-18889