Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 05 Jun 2012 00:22:08 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Jan Lieskovsky <jlieskov@...hat.com>,
        "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE Request -- Symfony / php-symfony-symfony:
 Session fixation flaw corrected in upstream 1.4.18 version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/04/2012 12:39 PM, Kurt Seifried wrote:
> On 06/04/2012 02:26 AM, Jan Lieskovsky wrote:
>> Hello Kurt, Steve, vendors,
> 
>> a session fixation flaw was found in the way Symfony, an 
>> open-source PHP web applications development framework,
>> performed removal of user credential, adding several user
>> credentials at once and 'user authenticated' settings change by
>> regenerating session ID. A remote attacker could provide a
>> specially-crafted URL, that when visited by a valid Symfony
>> application user (victim) could lead to unauthorized access to
>> the victim's user account.
> 
>> References: [1] https://bugs.gentoo.org/show_bug.cgi?id=418427
>> [2] 
>> http://symfony.com/blog/security-release-symfony-1-4-18-released
>>  [3] 
>> http://trac.symfony-project.org/browser/tags/RELEASE_1_4_18/CHANGELOG
>
>>  Upstream patch: [4] 
>> http://trac.symfony-project.org/changeset/33466?format=diff&new=33466
>
>>  Could you allocate a CVE id for this? (afaics there hasn't been
>>  requested one for this issue yet during last month / from the 
>> start of June 2012)
> 
>> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat 
>> Security Response Team
> 
> Please use CVE-2011-4964 for this issue.

Argh I was not paying attention and assigned the wrong year.

Please REJECT CVE-2011-4964 and use CVE-2012-2667 instead.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPzaWQAAoJEBYNRVNeJnmTMDcP/2hbtd1AoA+mDHT6Hdtf42Ox
/i8LUoRhWMRwJpRtO5OqF4XXkJfTFqSLi7qpiTopKwlWU8Yzeji0w+sfVUpThpd1
04RCHGdMwLagbN9vhjK3Dh4xpygQrCJfWBcnRs5woLuoFKW3NjDGy8Jmb2Kmdane
UXPTuOx8Bj42X9aIQ+iMqhSqqSLcKJ2ck9AyFkIMolbmkoUcF82b3QzS86LpugdU
SbU37Ka2Zmk/UrG8zxsRzyiO55LGw9OoHXyssl8JbXmXXeB4XCRRkcYnjrEhQ/JD
Nc03OGxURqVZcRj2fqDOcthFn84ZFlLmG4LP7Kz4ug0iG/80RwngQ48chcQK3fN6
98BSq2KsWSarApHaDHgAtERdqmHAzA+WwBO6AbdovxX68HsBceoF6bHVGd0ngBuc
sBkzkpvwmBdPWxJiYBf7j6kqffahcfoLhEaHfRDSUvhffJHAP6RTah6hpiH0s9ne
9R5yIwnmSGIjylQnXamSm9Dv3gvNGwAvZ3IN9vD9pA3MVLXOdI5/PlO81dty36L2
mO9hDVOw+vs2x2tB1oHsa3cWdq6G0N6/M7I5ehM7uytqyKldnuV9+oEt9o6JLy3A
ubf/Vr++P8e2mzu/vVlMLCwYfMNBHkLlL2V2qAeecie0zp9h5chRWRf5UuwFuAPa
HBX2duLeFeaiZdcyO0zG
=b1WB
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ