Date: Mon, 26 Nov 2012 10:06:26 -0500 (EST) From: Jan Lieskovsky <jlieskov@...hat.com> To: oss-security@...ts.openwall.com Cc: "Steven M. Christey" <coley@...us.mitre.org> Subject: CVE Request -- Symfony (php-symfony-symfony) < 1.4.20: Ability to read arbitrary files on the server, readable with the web server privileges Hello Kurt, Steve, vendors, Symfony upstream has released 1.4.20 version:  http://symfony.com/blog/security-release-symfony-1-4-20-released correcting one security flaw: "An information disclosure flaw was found in the way Symfony, an open-source PHP web framework, sanitized certain HTTP POST request values. A remote attacker could use this flaw to obtain (unauthorized) read access to arbitrary system files, readable with the privileges of the web server process." References:  https://bugs.gentoo.org/show_bug.cgi?id=444696  https://bugzilla.redhat.com/show_bug.cgi?id=880240 Relevant upstream patch:  http://trac.symfony-project.org/changeset/33598 Could you allocate a CVE id for this? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ