Debian DSA-3276-1 : symfony - security update

medium Nessus Plugin ID 83919

Synopsis

The remote Debian host is missing a security-related update.

Description

Jakub Zalas discovered that Symfony, a framework to create websites and web applications, was vulnerable to restriction bypass. It was affecting applications with ESI or SSI support enabled, that use the FragmentListener. A malicious user could call any controller via the /_fragment path by providing an invalid hash in the URL (or removing it), bypassing URL signing and security rules.

Solution

Upgrade the symfony packages.

For the stable distribution (jessie), this problem has been fixed in version 2.3.21+dfsg-4+deb8u1.

See Also

https://packages.debian.org/source/jessie/symfony

https://www.debian.org/security/2015/dsa-3276

Plugin Details

Severity: Medium

ID: 83919

File Name: debian_DSA-3276.nasl

Version: 2.5

Type: local

Agent: unix

Published: 6/2/2015

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:8.0, p-cpe:/a:debian:debian_linux:symfony

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 5/31/2015

Reference Information

CVE: CVE-2015-4050

DSA: 3276