Fedora 23 : php-symfony-2.7.7-2.fc23 / php-twig-1.23.1-2.fc23 (2015-0efcb5fbc5)

high Nessus Plugin ID 89145

Synopsis

The remote Fedora host is missing one or more security updates.

Description

**Twig 1.23.1** (2015-11-05) * fixed some exception messages which triggered PHP warnings * fixed BC on Twig_Test_NodeTestCase **Twig 1.23.0** (2015-10-29)

- deprecated the possibility to override an extension by registering another one with the same name * deprecated Twig_ExtensionInterface::getGlobals() (added Twig_Extension_GlobalsInterface for BC) * deprecated Twig_ExtensionInterface::initRuntime() (added Twig_Extension_InitRuntimeInterface for BC) * deprecated Twig_Environment::computeAlternatives() **Symfony 2.7.7** (2015-11-23) * security #16631 CVE-2015-8124:
Session Fixation in the 'Remember Me' Login Feature (xabbuh) * security #16630 CVE-2015-8125: Potential Remote Timing Attack Vulnerability in Security Remember-Me Service (xabbuh) * bug #16588 Sent out a status text for unknown HTTP headers. (dawehner) * bug #16295 [DependencyInjection] Unescape parameters for all types of injection (Nicofuma)

- bug #16574 [Process] Fix PhpProcess with phpdbg runtime (nicolas-grekas) * bug #16578 [Console] Fix bug in windows detection (kbond) * bug #16546 [Serializer] ObjectNormalizer: don't serialize static methods and props (dunglas) * bug #16352 Fix the server variables in the router_*.php files (leofeyer) * bug #16537 [Validator] Allow an empty path with a non empty fragment or a query (jakzal) * bug #16528 [Translation] Add support for Armenian pluralization. (marcosdsanchez)
* bug #16510 [Process] fix Proccess run with pts enabled (ewgRa) * bug #16292 fix race condition at mkdir (#16258) (ewgRa) * bug #15945 [Form] trigger deprecation warning when using empty_value (xabbuh) * bug #16384 [FrameworkBundle] JsonDescriptor - encode container params only once (xabbuh) * bug #16480 [VarDumper] Fix PHP7 type- hints compat (nicolas-grekas) * bug #16463 [PropertyAccess] Port of the performance optimization from 2.3 (dunglas) * bug #16462 [PropertyAccess] Fix dynamic property accessing. (dunglas) * bug #16454 [Serializer] GetSetNormalizer shouldn't set/get static methods (boekkooi) * bug #16453 [Serializer] PropertyNormalizer shouldn't set static properties (boekkooi) * bug #16471 [VarDumper] Fix casting for ReflectionParameter (nicolas-grekas) * bug #16294 [PropertyAccess] Major performance improvement (dunglas)
* bug #16331 fixed Twig deprecation notices (fabpot) * bug #16306 [DoctrineBridge] Fix issue which prevent the profiler to explain a query (Baachi) * bug #16359 Use mb_detect_encoding with $strict = true (nicolas-grekas)
* bug #16144 [Security] don't allow to install the split Security packages (xabbuh)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected php-symfony and / or php-twig packages.

See Also

https://bugzilla.redhat.com/show_bug.cgi?id=1285263

http://www.nessus.org/u?c1ffc30f

http://www.nessus.org/u?3617e816

Plugin Details

Severity: High

ID: 89145

File Name: fedora_2015-0efcb5fbc5.nasl

Version: 2.4

Type: local

Agent: unix

Published: 3/4/2016

Updated: 1/11/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/o:fedoraproject:fedora:23, p-cpe:/a:fedoraproject:fedora:php-twig, p-cpe:/a:fedoraproject:fedora:php-symfony

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Patch Publication Date: 12/5/2015

Vulnerability Publication Date: 12/7/2015

Reference Information

CVE: CVE-2015-8124, CVE-2015-8125